Signed-off-by: Michel Alexandre Salim <salimma@fedoraproject.org>epel8
commit
6bdddbaba4
@ -0,0 +1,80 @@
|
|||||||
|
diff -up openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_lib.c
|
||||||
|
--- openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec 2022-02-22 09:08:48.557823665 +0100
|
||||||
|
+++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-02-22 09:09:26.634133847 +0100
|
||||||
|
@@ -1458,7 +1458,7 @@ static EC_GROUP *ec_group_explicit_to_na
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- ret_group = (EC_GROUP *)group;
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
EC_GROUP_free(dup);
|
||||||
|
return ret_group;
|
||||||
|
diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c
|
||||||
|
--- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec 2022-02-22 13:04:16.850856612 +0100
|
||||||
|
+++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-02-22 14:16:19.848369641 +0100
|
||||||
|
@@ -936,11 +936,8 @@ int ec_validate(const void *keydata, int
|
||||||
|
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
|
||||||
|
int flags = EC_KEY_get_flags(eck);
|
||||||
|
|
||||||
|
- if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0)
|
||||||
|
- ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
|
||||||
|
- (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
|
||||||
|
- else
|
||||||
|
- ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);
|
||||||
|
+ ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
|
||||||
|
+ (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
|
||||||
|
@@ -1217,6 +1214,10 @@ static int ec_gen_assign_group(EC_KEY *e
|
||||||
|
ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+ if (EC_GROUP_get_curve_name(group) == NID_undef) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
return EC_KEY_set_group(ec, group) > 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec openssl-3.0.1/providers/common/securitycheck.c
|
||||||
|
--- openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec 2022-02-25 11:44:19.554673396 +0100
|
||||||
|
+++ openssl-3.0.1/providers/common/securitycheck.c 2022-02-25 12:16:38.168610089 +0100
|
||||||
|
@@ -93,22 +93,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx
|
||||||
|
int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)
|
||||||
|
{
|
||||||
|
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
|
||||||
|
- if (ossl_securitycheck_enabled(ctx)) {
|
||||||
|
- int nid, strength;
|
||||||
|
- const char *curve_name;
|
||||||
|
- const EC_GROUP *group = EC_KEY_get0_group(ec);
|
||||||
|
+ int nid, strength;
|
||||||
|
+ const char *curve_name;
|
||||||
|
+ const EC_GROUP *group = EC_KEY_get0_group(ec);
|
||||||
|
|
||||||
|
- if (group == NULL) {
|
||||||
|
- ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
- nid = EC_GROUP_get_curve_name(group);
|
||||||
|
- if (nid == NID_undef) {
|
||||||
|
- ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
||||||
|
- "Explicit curves are not allowed in fips mode");
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
+ if (group == NULL) {
|
||||||
|
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE, "No group");
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ nid = EC_GROUP_get_curve_name(group);
|
||||||
|
+ if (nid == NID_undef) {
|
||||||
|
+ ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
||||||
|
+ "Explicit curves are not allowed in this build");
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
+ if (ossl_securitycheck_enabled(ctx)) {
|
||||||
|
curve_name = EC_curve_nid2nist(nid);
|
||||||
|
if (curve_name == NULL) {
|
||||||
|
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
|
@ -0,0 +1,18 @@
|
|||||||
|
diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf
|
||||||
|
--- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100
|
||||||
|
+++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100
|
||||||
|
@@ -55,11 +55,11 @@ providers = provider_sect
|
||||||
|
# to side-channel attacks and as such have been deprecated.
|
||||||
|
|
||||||
|
[provider_sect]
|
||||||
|
-default = default_sect
|
||||||
|
+##default = default_sect
|
||||||
|
##legacy = legacy_sect
|
||||||
|
##
|
||||||
|
-[default_sect]
|
||||||
|
-activate = 1
|
||||||
|
+##[default_sect]
|
||||||
|
+##activate = 1
|
||||||
|
|
||||||
|
##[legacy_sect]
|
||||||
|
##activate = 1
|
@ -1,18 +0,0 @@
|
|||||||
diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c
|
|
||||||
index 173c99ce1732..7a4b780bb469 100644
|
|
||||||
--- a/providers/implementations/rands/seed_src.c
|
|
||||||
+++ b/providers/implementations/rands/seed_src.c
|
|
||||||
@@ -201,10 +201,11 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout,
|
|
||||||
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
- *pout = p;
|
|
||||||
if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance,
|
|
||||||
- adin, adin_len) != 0)
|
|
||||||
+ adin, adin_len) != 0) {
|
|
||||||
+ *pout = p;
|
|
||||||
return bytes_needed;
|
|
||||||
+ }
|
|
||||||
OPENSSL_secure_clear_free(p, bytes_needed);
|
|
||||||
return 0;
|
|
||||||
}
|
|
@ -0,0 +1,161 @@
|
|||||||
|
#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
|
||||||
|
#(partial) of the function provider_conf_load() under the 'if (activate) section.
|
||||||
|
#If there is any change to this section, after deleting it in provider_conf_load()
|
||||||
|
#ensure that you also add those changes to the provider_conf_activate() function.
|
||||||
|
#additionally please add this check for cnf explicitly as shown below.
|
||||||
|
#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
|
||||||
|
diff -up openssl-3.0.1/crypto/provider_conf.c.fips-FORCE openssl-3.0.1/crypto/provider_conf.c
|
||||||
|
--- openssl-3.0.1/crypto/provider_conf.c.fips-FORCE 2022-01-18 15:36:00.956141345 +0100
|
||||||
|
+++ openssl-3.0.1/crypto/provider_conf.c 2022-01-18 15:42:36.345172203 +0100
|
||||||
|
@@ -136,58 +136,18 @@ static int prov_already_activated(const
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
|
||||||
|
- const char *value, const CONF *cnf)
|
||||||
|
+static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
|
||||||
|
+ const char *value, const char *path,
|
||||||
|
+ int soft, const CONF *cnf)
|
||||||
|
{
|
||||||
|
- int i;
|
||||||
|
- STACK_OF(CONF_VALUE) *ecmds;
|
||||||
|
- int soft = 0;
|
||||||
|
- OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
||||||
|
- const char *path = NULL;
|
||||||
|
- long activate = 0;
|
||||||
|
int ok = 0;
|
||||||
|
-
|
||||||
|
- name = skip_dot(name);
|
||||||
|
- OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
|
||||||
|
- /* Value is a section containing PROVIDER commands */
|
||||||
|
- ecmds = NCONF_get_section(cnf, value);
|
||||||
|
-
|
||||||
|
- if (!ecmds) {
|
||||||
|
- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
|
||||||
|
- "section=%s not found", value);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* Find the needed data first */
|
||||||
|
- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
|
||||||
|
- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
|
||||||
|
- const char *confname = skip_dot(ecmd->name);
|
||||||
|
- const char *confvalue = ecmd->value;
|
||||||
|
-
|
||||||
|
- OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
|
||||||
|
- confname, confvalue);
|
||||||
|
-
|
||||||
|
- /* First handle some special pseudo confs */
|
||||||
|
-
|
||||||
|
- /* Override provider name to use */
|
||||||
|
- if (strcmp(confname, "identity") == 0)
|
||||||
|
- name = confvalue;
|
||||||
|
- else if (strcmp(confname, "soft_load") == 0)
|
||||||
|
- soft = 1;
|
||||||
|
- /* Load a dynamic PROVIDER */
|
||||||
|
- else if (strcmp(confname, "module") == 0)
|
||||||
|
- path = confvalue;
|
||||||
|
- else if (strcmp(confname, "activate") == 0)
|
||||||
|
- activate = 1;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (activate) {
|
||||||
|
- PROVIDER_CONF_GLOBAL *pcgbl
|
||||||
|
- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
||||||
|
- &provider_conf_ossl_ctx_method);
|
||||||
|
+ OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
||||||
|
+ PROVIDER_CONF_GLOBAL *pcgbl
|
||||||
|
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
||||||
|
+ &provider_conf_ossl_ctx_method);
|
||||||
|
|
||||||
|
if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
|
||||||
|
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
||||||
|
+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
if (!prov_already_activated(name, pcgbl->activated_providers)) {
|
||||||
|
@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
|
||||||
|
if (path != NULL)
|
||||||
|
ossl_provider_set_module_path(prov, path);
|
||||||
|
|
||||||
|
- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
|
||||||
|
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
|
||||||
|
|
||||||
|
if (ok) {
|
||||||
|
if (!ossl_provider_activate(prov, 1, 0)) {
|
||||||
|
@@ -246,6 +206,55 @@ static int provider_conf_load(OSSL_LIB_C
|
||||||
|
ossl_provider_free(prov);
|
||||||
|
}
|
||||||
|
CRYPTO_THREAD_unlock(pcgbl->lock);
|
||||||
|
+ return ok;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
|
||||||
|
+ const char *value, const CONF *cnf)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+ STACK_OF(CONF_VALUE) *ecmds;
|
||||||
|
+ int soft = 0;
|
||||||
|
+ const char *path = NULL;
|
||||||
|
+ long activate = 0;
|
||||||
|
+ int ok = 0;
|
||||||
|
+
|
||||||
|
+ name = skip_dot(name);
|
||||||
|
+ OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
|
||||||
|
+ /* Value is a section containing PROVIDER commands */
|
||||||
|
+ ecmds = NCONF_get_section(cnf, value);
|
||||||
|
+
|
||||||
|
+ if (!ecmds) {
|
||||||
|
+ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
|
||||||
|
+ "section=%s not found", value);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Find the needed data first */
|
||||||
|
+ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
|
||||||
|
+ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
|
||||||
|
+ const char *confname = skip_dot(ecmd->name);
|
||||||
|
+ const char *confvalue = ecmd->value;
|
||||||
|
+
|
||||||
|
+ OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
|
||||||
|
+ confname, confvalue);
|
||||||
|
+
|
||||||
|
+ /* First handle some special pseudo confs */
|
||||||
|
+
|
||||||
|
+ /* Override provider name to use */
|
||||||
|
+ if (strcmp(confname, "identity") == 0)
|
||||||
|
+ name = confvalue;
|
||||||
|
+ else if (strcmp(confname, "soft_load") == 0)
|
||||||
|
+ soft = 1;
|
||||||
|
+ /* Load a dynamic PROVIDER */
|
||||||
|
+ else if (strcmp(confname, "module") == 0)
|
||||||
|
+ path = confvalue;
|
||||||
|
+ else if (strcmp(confname, "activate") == 0)
|
||||||
|
+ activate = 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (activate) {
|
||||||
|
+ ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
|
||||||
|
} else {
|
||||||
|
OSSL_PROVIDER_INFO entry;
|
||||||
|
|
||||||
|
@@ -306,6 +315,19 @@ static int provider_conf_init(CONF_IMODU
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */
|
||||||
|
+ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf);
|
||||||
|
+ PROVIDER_CONF_GLOBAL *pcgbl
|
||||||
|
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
||||||
|
+ &provider_conf_ossl_ctx_method);
|
||||||
|
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
|
||||||
|
+ return 0;
|
||||||
|
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
|
||||||
|
+ return 0;
|
||||||
|
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,223 @@
|
|||||||
|
diff -up openssl-3.0.0/providers/fips/self_test.c.embed-hmac openssl-3.0.0/providers/fips/self_test.c
|
||||||
|
--- openssl-3.0.0/providers/fips/self_test.c.embed-hmac 2021-11-16 13:57:05.127171056 +0100
|
||||||
|
+++ openssl-3.0.0/providers/fips/self_test.c 2021-11-16 14:07:21.963412455 +0100
|
||||||
|
@@ -171,11 +171,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#define HMAC_LEN 32
|
||||||
|
+/*
|
||||||
|
+ * The __attribute__ ensures we've created the .rodata1 section
|
||||||
|
+ * static ensures it's zero filled
|
||||||
|
+*/
|
||||||
|
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
|
||||||
|
* the result matches the expected value.
|
||||||
|
* Return 1 if verified, or 0 if it fails.
|
||||||
|
*/
|
||||||
|
+#ifndef __USE_GNU
|
||||||
|
+#define __USE_GNU
|
||||||
|
+#include <dlfcn.h>
|
||||||
|
+#undef __USE_GNU
|
||||||
|
+#else
|
||||||
|
+#include <dlfcn.h>
|
||||||
|
+#endif
|
||||||
|
+#include <link.h>
|
||||||
|
+
|
||||||
|
static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb,
|
||||||
|
unsigned char *expected, size_t expected_len,
|
||||||
|
OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev,
|
||||||
|
@@ -183,14 +199,26 @@ static int verify_integrity(OSSL_CORE_BI
|
||||||
|
{
|
||||||
|
int ret = 0, status;
|
||||||
|
unsigned char out[MAX_MD_SIZE];
|
||||||
|
- unsigned char buf[INTEGRITY_BUF_SIZE];
|
||||||
|
+ unsigned char buf[INTEGRITY_BUF_SIZE+HMAC_LEN];
|
||||||
|
size_t bytes_read = 0, out_len = 0;
|
||||||
|
EVP_MAC *mac = NULL;
|
||||||
|
EVP_MAC_CTX *ctx = NULL;
|
||||||
|
OSSL_PARAM params[2], *p = params;
|
||||||
|
+ Dl_info info;
|
||||||
|
+ void *extra_info = NULL;
|
||||||
|
+ struct link_map *lm = NULL;
|
||||||
|
+ unsigned long paddr;
|
||||||
|
+ unsigned long off = 0;
|
||||||
|
+ int have_rest = 0;
|
||||||
|
|
||||||
|
OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC);
|
||||||
|
|
||||||
|
+ if (!dladdr1 ((const void *)fips_hmac_container,
|
||||||
|
+ &info, &extra_info, RTLD_DL_LINKMAP))
|
||||||
|
+ goto err;
|
||||||
|
+ lm = extra_info;
|
||||||
|
+ paddr = (unsigned long)fips_hmac_container - lm->l_addr;
|
||||||
|
+
|
||||||
|
mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL);
|
||||||
|
if (mac == NULL)
|
||||||
|
goto err;
|
||||||
|
@@ -204,12 +233,53 @@ static int verify_integrity(OSSL_CORE_BI
|
||||||
|
if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
+ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read);
|
||||||
|
+ if (status != 1 || bytes_read != HMAC_LEN)
|
||||||
|
+ goto err;
|
||||||
|
+ off += HMAC_LEN;
|
||||||
|
+
|
||||||
|
while (1) {
|
||||||
|
- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read);
|
||||||
|
- if (status != 1)
|
||||||
|
+ status = read_ex_cb(bio, buf+HMAC_LEN, INTEGRITY_BUF_SIZE, &bytes_read);
|
||||||
|
+ if (status != 1) {
|
||||||
|
+ have_rest = 1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (bytes_read == INTEGRITY_BUF_SIZE) { /* Full block */
|
||||||
|
+ /* Logic:
|
||||||
|
+ * We have HMAC_LEN (read before) + INTEGRITY_BUF_SIZE (read now) in buffer
|
||||||
|
+ * We calculate HMAC from first INTEGRITY_BUF_SIZE bytes
|
||||||
|
+ * and move last HMAC_LEN bytes to the beginning of the buffer
|
||||||
|
+ *
|
||||||
|
+ * If we have read (a part of) buffer fips_hmac_container
|
||||||
|
+ * we should replace it with zeros.
|
||||||
|
+ * If it is inside our current buffer, we will update now.
|
||||||
|
+ * If it intersects the upper bound, we will clean up on the next step.
|
||||||
|
+ */
|
||||||
|
+ if (off - HMAC_LEN <= paddr && paddr <= off + bytes_read)
|
||||||
|
+ memset (buf + HMAC_LEN + paddr - off, 0, HMAC_LEN);
|
||||||
|
+ off += bytes_read;
|
||||||
|
+
|
||||||
|
+ if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||||
|
+ goto err;
|
||||||
|
+ memcpy (buf, buf+INTEGRITY_BUF_SIZE, HMAC_LEN);
|
||||||
|
+ } else { /* Final block */
|
||||||
|
+ /* Logic is basically the same as in previous branch
|
||||||
|
+ * but we calculate HMAC from HMAC_LEN (rest of previous step)
|
||||||
|
+ * and bytes_read read on this step
|
||||||
|
+ * */
|
||||||
|
+ if (off - HMAC_LEN <= paddr && paddr <= off + bytes_read)
|
||||||
|
+ memset (buf + HMAC_LEN + paddr - off, 0, HMAC_LEN);
|
||||||
|
+ if (!EVP_MAC_update(ctx, buf, bytes_read+HMAC_LEN))
|
||||||
|
+ goto err;
|
||||||
|
+ off += bytes_read;
|
||||||
|
break;
|
||||||
|
- if (!EVP_MAC_update(ctx, buf, bytes_read))
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (have_rest) {
|
||||||
|
+ if (!EVP_MAC_update(ctx, buf, HMAC_LEN))
|
||||||
|
goto err;
|
||||||
|
+ off += HMAC_LEN;
|
||||||
|
}
|
||||||
|
if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out)))
|
||||||
|
goto err;
|
||||||
|
@@ -284,8 +358,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||||
|
CRYPTO_THREAD_unlock(fips_state_lock);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (st == NULL
|
||||||
|
- || st->module_checksum_data == NULL) {
|
||||||
|
+ if (st == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
@@ -294,8 +367,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||||
|
if (ev == NULL)
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data,
|
||||||
|
- &checksum_len);
|
||||||
|
+ module_checksum = fips_hmac_container;
|
||||||
|
+ checksum_len = sizeof(fips_hmac_container);
|
||||||
|
+
|
||||||
|
if (module_checksum == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA);
|
||||||
|
goto end;
|
||||||
|
@@ -357,7 +431,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||||
|
ok = 1;
|
||||||
|
end:
|
||||||
|
OSSL_SELF_TEST_free(ev);
|
||||||
|
- OPENSSL_free(module_checksum);
|
||||||
|
OPENSSL_free(indicator_checksum);
|
||||||
|
|
||||||
|
if (st != NULL) {
|
||||||
|
diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t
|
||||||
|
--- openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
|
||||||
|
+++ openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t 2021-11-18 09:39:53.386817874 +0100
|
||||||
|
@@ -20,7 +20,7 @@
|
||||||
|
use lib bldtop_dir('.');
|
||||||
|
use platform;
|
||||||
|
|
||||||
|
-my $no_check = disabled("fips");
|
||||||
|
+my $no_check = 1;
|
||||||
|
plan skip_all => "FIPS module config file only supported in a fips build"
|
||||||
|
if $no_check;
|
||||||
|
|
||||||
|
diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t
|
||||||
|
--- openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200
|
||||||
|
+++ openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t 2021-11-18 09:59:02.315619486 +0100
|
||||||
|
@@ -23,7 +23,7 @@
|
||||||
|
use lib bldtop_dir('.');
|
||||||
|
use platform;
|
||||||
|
|
||||||
|
-my $no_check = disabled("fips");
|
||||||
|
+my $no_check = 1;
|
||||||
|
plan skip_all => "Test only supported in a fips build"
|
||||||
|
if $no_check;
|
||||||
|
plan tests => 1;
|
||||||
|
diff -ruN openssl-3.0.0/test/recipes/03-test_fipsinstall.t openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t
|
||||||
|
--- openssl-3.0.0/test/recipes/03-test_fipsinstall.t 2021-09-07 13:46:32.000000000 +0200
|
||||||
|
+++ openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t 2021-11-18 09:59:55.365072074 +0100
|
||||||
|
@@ -22,7 +22,7 @@
|
||||||
|
use lib bldtop_dir('.');
|
||||||
|
use platform;
|
||||||
|
|
||||||
|
-plan skip_all => "Test only supported in a fips build" if disabled("fips");
|
||||||
|
+plan skip_all => "Test only supported in a fips build" if 1;
|
||||||
|
|
||||||
|
plan tests => 29;
|
||||||
|
|
||||||
|
diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t
|
||||||
|
--- openssl-3.0.0/test/recipes/30-test_defltfips.t 2021-09-07 13:46:32.000000000 +0200
|
||||||
|
+++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t 2021-11-18 10:22:54.179659682 +0100
|
||||||
|
@@ -21,7 +21,7 @@
|
||||||
|
use lib srctop_dir('Configurations');
|
||||||
|
use lib bldtop_dir('.');
|
||||||
|
|
||||||
|
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
|
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
|
|
||||||
|
plan tests =>
|
||||||
|
($no_fips ? 1 : 5);
|
||||||
|
diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t
|
||||||
|
--- openssl-3.0.0/test/recipes/80-test_ssl_new.t 2021-09-07 13:46:32.000000000 +0200
|
||||||
|
+++ openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t 2021-11-18 10:18:53.391721164 +0100
|
||||||
|
@@ -23,7 +23,7 @@
|
||||||
|
use lib srctop_dir('Configurations');
|
||||||
|
use lib bldtop_dir('.');
|
||||||
|
|
||||||
|
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
|
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
|
|
||||||
|
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
|
||||||
|
|
||||||
|
diff -ruN openssl-3.0.0/test/recipes/90-test_sslapi.t openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t
|
||||||
|
--- openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-11-18 10:32:17.734196705 +0100
|
||||||
|
+++ openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t 2021-11-18 10:18:30.695538445 +0100
|
||||||
|
@@ -18,7 +18,7 @@
|
||||||
|
use lib srctop_dir('Configurations');
|
||||||
|
use lib bldtop_dir('.');
|
||||||
|
|
||||||
|
-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
|
+my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||||
|
|
||||||
|
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
|
||||||
|
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
|
||||||
|
--- /dev/null 2021-11-16 15:27:32.915000000 +0100
|
||||||
|
+++ openssl-3.0.0/test/fipsmodule.cnf 2021-11-18 11:15:34.538060408 +0100
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+[fips_sect]
|
||||||
|
+activate = 1
|
@ -0,0 +1,406 @@
|
|||||||
|
diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c
|
||||||
|
--- openssl-3.0.0/apps/fipsinstall.c.xxx 2021-11-22 13:09:28.232560235 +0100
|
||||||
|
+++ openssl-3.0.0/apps/fipsinstall.c 2021-11-22 13:12:22.272058910 +0100
|
||||||
|
@@ -311,6 +311,9 @@ int fipsinstall_main(int argc, char **ar
|
||||||
|
EVP_MAC *mac = NULL;
|
||||||
|
CONF *conf = NULL;
|
||||||
|
|
||||||
|
+ BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n");
|
||||||
|
+ return 1;
|
||||||
|
+
|
||||||
|
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod
|
||||||
|
--- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100
|
||||||
|
+++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100
|
||||||
|
@@ -158,10 +158,6 @@ Engine (loadable module) information and
|
||||||
|
|
||||||
|
Error Number to Error String Conversion.
|
||||||
|
|
||||||
|
-=item B<fipsinstall>
|
||||||
|
-
|
||||||
|
-FIPS configuration installation.
|
||||||
|
-
|
||||||
|
=item B<gendsa>
|
||||||
|
|
||||||
|
Generation of DSA Private Key from Parameters. Superseded by
|
||||||
|
diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod
|
||||||
|
--- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100
|
||||||
|
+++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100
|
||||||
|
@@ -573,7 +573,6 @@ configuration files using that syntax wi
|
||||||
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
|
||||||
|
-L<openssl-fipsinstall(1)>,
|
||||||
|
L<ASN1_generate_nconf(3)>,
|
||||||
|
L<EVP_set_default_properties(3)>,
|
||||||
|
L<CONF_modules_load(3)>,
|
||||||
|
diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod
|
||||||
|
--- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100
|
||||||
|
+++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100
|
||||||
|
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
-A separate configuration file, using the OpenSSL L<config(5)> syntax,
|
||||||
|
-is used to hold information about the FIPS module. This includes a digest
|
||||||
|
-of the shared library file, and status about the self-testing.
|
||||||
|
-This data is used automatically by the module itself for two
|
||||||
|
-purposes:
|
||||||
|
-
|
||||||
|
-=over 4
|
||||||
|
-
|
||||||
|
-=item - Run the startup FIPS self-test known answer tests (KATS).
|
||||||
|
-
|
||||||
|
-This is normally done once, at installation time, but may also be set up to
|
||||||
|
-run each time the module is used.
|
||||||
|
-
|
||||||
|
-=item - Verify the module's checksum.
|
||||||
|
-
|
||||||
|
-This is done each time the module is used.
|
||||||
|
-
|
||||||
|
-=back
|
||||||
|
-
|
||||||
|
-This file is generated by the L<openssl-fipsinstall(1)> program, and
|
||||||
|
-used internally by the FIPS module during its initialization.
|
||||||
|
-
|
||||||
|
-The following options are supported. They should all appear in a section
|
||||||
|
-whose name is identified by the B<fips> option in the B<providers>
|
||||||
|
-section, as described in L<config(5)/Provider Configuration Module>.
|
||||||
|
-
|
||||||
|
-=over 4
|
||||||
|
-
|
||||||
|
-=item B<activate>
|
||||||
|
-
|
||||||
|
-If present, the module is activated. The value assigned to this name is not
|
||||||
|
-significant.
|
||||||
|
-
|
||||||
|
-=item B<install-version>
|
||||||
|
-
|
||||||
|
-A version number for the fips install process. Should be 1.
|
||||||
|
-
|
||||||
|
-=item B<conditional-errors>
|
||||||
|
-
|
||||||
|
-The FIPS module normally enters an internal error mode if any self test fails.
|
||||||
|
-Once this error mode is active, no services or cryptographic algorithms are
|
||||||
|
-accessible from this point on.
|
||||||
|
-Continuous tests are a subset of the self tests (e.g., a key pair test during key
|
||||||
|
-generation, or the CRNG output test).
|
||||||
|
-Setting this value to C<0> allows the error mode to not be triggered if any
|
||||||
|
-continuous test fails. The default value of C<1> will trigger the error mode.
|
||||||
|
-Regardless of the value, the operation (e.g., key generation) that called the
|
||||||
|
-continuous test will return an error code if its continuous test fails. The
|
||||||
|
-operation may then be retried if the error mode has not been triggered.
|
||||||
|
-
|
||||||
|
-=item B<security-checks>
|
||||||
|
-
|
||||||
|
-This indicates if run-time checks related to enforcement of security parameters
|
||||||
|
-such as minimum security strength of keys and approved curve names are used.
|
||||||
|
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
|
||||||
|
-are not performed and FIPS compliance must be done by procedures documented in
|
||||||
|
-the relevant Security Policy.
|
||||||
|
-
|
||||||
|
-=item B<module-mac>
|
||||||
|
-
|
||||||
|
-The calculated MAC of the FIPS provider file.
|
||||||
|
-
|
||||||
|
-=item B<install-status>
|
||||||
|
-
|
||||||
|
-An indicator that the self-tests were successfully run.
|
||||||
|
-This should only be written after the module has
|
||||||
|
-successfully passed its self tests during installation.
|
||||||
|
-If this field is not present, then the self tests will run when the module
|
||||||
|
-loads.
|
||||||
|
-
|
||||||
|
-=item B<install-mac>
|
||||||
|
-
|
||||||
|
-A MAC of the value of the B<install-status> option, to prevent accidental
|
||||||
|
-changes to that value.
|
||||||
|
-It is written-to at the same time as B<install-status> is updated.
|
||||||
|
-
|
||||||
|
-=back
|
||||||
|
-
|
||||||
|
-For example:
|
||||||
|
-
|
||||||
|
- [fips_sect]
|
||||||
|
- activate = 1
|
||||||
|
- install-version = 1
|
||||||
|
- conditional-errors = 1
|
||||||
|
- security-checks = 1
|
||||||
|
- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
|
||||||
|
- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
|
||||||
|
- install-status = INSTALL_SELF_TEST_KATS_RUN
|
||||||
|
-
|
||||||
|
-=head1 NOTES
|
||||||
|
-
|
||||||
|
-When using the FIPS provider, it is recommended that the
|
||||||
|
-B<config_diagnostics> option is enabled to prevent accidental use of
|
||||||
|
-non-FIPS validated algorithms via broken or mistaken configuration.
|
||||||
|
-See L<config(5)>.
|
||||||
|
-
|
||||||
|
-=head1 SEE ALSO
|
||||||
|
-
|
||||||
|
-L<config(5)>
|
||||||
|
-L<openssl-fipsinstall(1)>
|
||||||
|
+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
|
||||||
|
+automatically loaded when the system is booted in FIPS mode, or when the
|
||||||
|
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
||||||
|
+for more information.
|
||||||
|
|
||||||
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
|
diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||||
|
--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100
|
||||||
|
+++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100
|
||||||
|
@@ -388,7 +388,6 @@ A simple self test callback is shown bel
|
||||||
|
|
||||||
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
-L<openssl-fipsinstall(1)>,
|
||||||
|
L<fips_config(5)>,
|
||||||
|
L<OSSL_SELF_TEST_set_callback(3)>,
|
||||||
|
L<OSSL_SELF_TEST_new(3)>,
|
||||||
|
diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in
|
||||||
|
--- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100
|
||||||
|
+++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100
|
||||||
|
@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi
|
||||||
|
=head1 SYNOPSIS
|
||||||
|
|
||||||
|
B<openssl fipsinstall>
|
||||||
|
-[B<-help>]
|
||||||
|
-[B<-in> I<configfilename>]
|
||||||
|
-[B<-out> I<configfilename>]
|
||||||
|
-[B<-module> I<modulefilename>]
|
||||||
|
-[B<-provider_name> I<providername>]
|
||||||
|
-[B<-section_name> I<sectionname>]
|
||||||
|
-[B<-verify>]
|
||||||
|
-[B<-mac_name> I<macname>]
|
||||||
|
-[B<-macopt> I<nm>:I<v>]
|
||||||
|
-[B<-noout>]
|
||||||
|
-[B<-quiet>]
|
||||||
|
-[B<-no_conditional_errors>]
|
||||||
|
-[B<-no_security_checks>]
|
||||||
|
-[B<-self_test_onload>]
|
||||||
|
-[B<-corrupt_desc> I<selftest_description>]
|
||||||
|
-[B<-corrupt_type> I<selftest_type>]
|
||||||
|
-[B<-config> I<parent_config>]
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
-
|
||||||
|
-This command is used to generate a FIPS module configuration file.
|
||||||
|
-This configuration file can be used each time a FIPS module is loaded
|
||||||
|
-in order to pass data to the FIPS module self tests. The FIPS module always
|
||||||
|
-verifies its MAC, but optionally only needs to run the KAT's once,
|
||||||
|
-at installation.
|
||||||
|
-
|
||||||
|
-The generated configuration file consists of:
|
||||||
|
-
|
||||||
|
-=over 4
|
||||||
|
-
|
||||||
|
-=item - A MAC of the FIPS module file.
|
||||||
|
-
|
||||||
|
-=item - A test status indicator.
|
||||||
|
-
|
||||||
|
-This indicates if the Known Answer Self Tests (KAT's) have successfully run.
|
||||||
|
-
|
||||||
|
-=item - A MAC of the status indicator.
|
||||||
|
-
|
||||||
|
-=item - A control for conditional self tests errors.
|
||||||
|
-
|
||||||
|
-By default if a continuous test (e.g a key pair test) fails then the FIPS module
|
||||||
|
-will enter an error state, and no services or cryptographic algorithms will be
|
||||||
|
-able to be accessed after this point.
|
||||||
|
-The default value of '1' will cause the fips module error state to be entered.
|
||||||
|
-If the value is '0' then the module error state will not be entered.
|
||||||
|
-Regardless of whether the error state is entered or not, the current operation
|
||||||
|
-(e.g. key generation) will return an error. The user is responsible for retrying
|
||||||
|
-the operation if the module error state is not entered.
|
||||||
|
-
|
||||||
|
-=item - A control to indicate whether run-time security checks are done.
|
||||||
|
-
|
||||||
|
-This indicates if run-time checks related to enforcement of security parameters
|
||||||
|
-such as minimum security strength of keys and approved curve names are used.
|
||||||
|
-The default value of '1' will perform the checks.
|
||||||
|
-If the value is '0' the checks are not performed and FIPS compliance must
|
||||||
|
-be done by procedures documented in the relevant Security Policy.
|
||||||
|
-
|
||||||
|
-=back
|
||||||
|
-
|
||||||
|
-This file is described in L<fips_config(5)>.
|
||||||
|
-
|
||||||
|
-=head1 OPTIONS
|
||||||
|
-
|
||||||
|
-=over 4
|
||||||
|
-
|
||||||
|
-=item B<-help>
|
||||||
|
-
|
||||||
|
-Print a usage message.
|
||||||
|
-
|
||||||
|
-=item B<-module> I<filename>
|
||||||
|
-
|
||||||
|
-Filename of the FIPS module to perform an integrity check on.
|
||||||
|
-The path provided in the filename is used to load the module when it is
|
||||||
|
-activated, and this overrides the environment variable B<OPENSSL_MODULES>.
|
||||||
|
-
|
||||||
|
-=item B<-out> I<configfilename>
|
||||||
|
-
|
||||||
|
-Filename to output the configuration data to; the default is standard output.
|
||||||
|
-
|
||||||
|
-=item B<-in> I<configfilename>
|
||||||
|
-
|
||||||
|
-Input filename to load configuration data from.
|
||||||
|
-Must be used if the B<-verify> option is specified.
|
||||||
|
-
|
||||||
|
-=item B<-verify>
|
||||||
|
-
|
||||||
|
-Verify that the input configuration file contains the correct information.
|
||||||
|
-
|
||||||
|
-=item B<-provider_name> I<providername>
|
||||||
|
-
|
||||||
|
-Name of the provider inside the configuration file.
|
||||||
|
-The default value is C<fips>.
|
||||||
|
-
|
||||||
|
-=item B<-section_name> I<sectionname>
|
||||||
|
-
|
||||||
|
-Name of the section inside the configuration file.
|
||||||
|
-The default value is C<fips_sect>.
|
||||||
|
-
|
||||||
|
-=item B<-mac_name> I<name>
|
||||||
|
-
|
||||||
|
-Specifies the name of a supported MAC algorithm which will be used.
|
||||||
|
-The MAC mechanisms that are available will depend on the options
|
||||||
|
-used when building OpenSSL.
|
||||||
|
-To see the list of supported MAC's use the command
|
||||||
|
-C<openssl list -mac-algorithms>. The default is B<HMAC>.
|
||||||
|
-
|
||||||
|
-=item B<-macopt> I<nm>:I<v>
|
||||||
|
-
|
||||||
|
-Passes options to the MAC algorithm.
|
||||||
|
-A comprehensive list of controls can be found in the EVP_MAC implementation
|
||||||
|
-documentation.
|
||||||
|
-Common control strings used for this command are:
|
||||||
|
-
|
||||||
|
-=over 4
|
||||||
|
-
|
||||||
|
-=item B<key>:I<string>
|
||||||
|
-
|
||||||
|
-Specifies the MAC key as an alphanumeric string (use if the key contains
|
||||||
|
-printable characters only).
|
||||||
|
-The string length must conform to any restrictions of the MAC algorithm.
|
||||||
|
-A key must be specified for every MAC algorithm.
|
||||||
|
-If no key is provided, the default that was specified when OpenSSL was
|
||||||
|
-configured is used.
|
||||||
|
-
|
||||||
|
-=item B<hexkey>:I<string>
|
||||||
|
-
|
||||||
|
-Specifies the MAC key in hexadecimal form (two hex digits per byte).
|
||||||
|
-The key length must conform to any restrictions of the MAC algorithm.
|
||||||
|
-A key must be specified for every MAC algorithm.
|
||||||
|
-If no key is provided, the default that was specified when OpenSSL was
|
||||||
|
-configured is used.
|
||||||
|
-
|
||||||
|
-=item B<digest>:I<string>
|
||||||
|
-
|
||||||
|
-Used by HMAC as an alphanumeric string (use if the key contains printable
|
||||||
|
-characters only).
|
||||||
|
-The string length must conform to any restrictions of the MAC algorithm.
|
||||||
|
-To see the list of supported digests, use the command
|
||||||
|
-C<openssl list -digest-commands>.
|
||||||
|
-The default digest is SHA-256.
|
||||||
|
-
|
||||||
|
-=back
|
||||||
|
-
|
||||||
|
-=item B<-noout>
|
||||||
|
-
|
||||||
|
-Disable logging of the self tests.
|
||||||
|
-
|
||||||
|
-=item B<-no_conditional_errors>
|
||||||
|
-
|
||||||
|
-Configure the module to not enter an error state if a conditional self test
|
||||||
|
-fails as described above.
|
||||||
|
-
|
||||||
|
-=item B<-no_security_checks>
|
||||||
|
-
|
||||||
|
-Configure the module to not perform run-time security checks as described above.
|
||||||
|
-
|
||||||
|
-=item B<-self_test_onload>
|
||||||
|
-
|
||||||
|
-Do not write the two fields related to the "test status indicator" and
|
||||||
|
-"MAC status indicator" to the output configuration file. Without these fields
|
||||||
|
-the self tests KATS will run each time the module is loaded. This option could be
|
||||||
|
-used for cross compiling, since the self tests need to run at least once on each
|
||||||
|
-target machine. Once the self tests have run on the target machine the user
|
||||||
|
-could possibly then add the 2 fields into the configuration using some other
|
||||||
|
-mechanism.
|
||||||
|
-
|
||||||
|
-=item B<-quiet>
|
||||||
|
-
|
||||||
|
-Do not output pass/fail messages. Implies B<-noout>.
|
||||||
|
-
|
||||||
|
-=item B<-corrupt_desc> I<selftest_description>,
|
||||||
|
-B<-corrupt_type> I<selftest_type>
|
||||||
|
-
|
||||||
|
-The corrupt options can be used to test failure of one or more self tests by
|
||||||
|
-name.
|
||||||
|
-Either option or both may be used to select the tests to corrupt.
|
||||||
|
-Refer to the entries for B<st-desc> and B<st-type> in L<OSSL_PROVIDER-FIPS(7)> for
|
||||||
|
-values that can be used.
|
||||||
|
-
|
||||||
|
-=item B<-config> I<parent_config>
|
||||||
|
-
|
||||||
|
-Test that a FIPS provider can be loaded from the specified configuration file.
|
||||||
|
-A previous call to this application needs to generate the extra configuration
|
||||||
|
-data that is included by the base C<parent_config> configuration file.
|
||||||
|
-See L<config(5)> for further information on how to set up a provider section.
|
||||||
|
-All other options are ignored if '-config' is used.
|
||||||
|
-
|
||||||
|
-=back
|
||||||
|
-
|
||||||
|
-=head1 NOTES
|
||||||
|
-
|
||||||
|
-Self tests results are logged by default if the options B<-quiet> and B<-noout>
|
||||||
|
-are not specified, or if either of the options B<-corrupt_desc> or
|
||||||
|
-B<-corrupt_type> are used.
|
||||||
|
-If the base configuration file is set up to autoload the fips module, then the
|
||||||
|
-fips module will be loaded and self tested BEFORE the fipsinstall application
|
||||||
|
-has a chance to set up its own self test callback. As a result of this the self
|
||||||
|
-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
|
||||||
|
-For normal usage the base configuration file should use the default provider
|
||||||
|
-when generating the fips configuration file.
|
||||||
|
-
|
||||||
|
-=head1 EXAMPLES
|
||||||
|
-
|
||||||
|
-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
|
||||||
|
-for the module, and save the F<fips.cnf> configuration file:
|
||||||
|
-
|
||||||
|
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
|
||||||
|
-
|
||||||
|
-Verify that the configuration file F<fips.cnf> contains the correct info:
|
||||||
|
-
|
||||||
|
- openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify
|
||||||
|
-
|
||||||
|
-Corrupt any self tests which have the description C<SHA1>:
|
||||||
|
-
|
||||||
|
- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
|
||||||
|
- -corrupt_desc 'SHA1'
|
||||||
|
-
|
||||||
|
-Validate that the fips module can be loaded from a base configuration file:
|
||||||
|
-
|
||||||
|
- export OPENSSL_CONF_INCLUDE=<path of configuration files>
|
||||||
|
- export OPENSSL_MODULES=<provider-path>
|
||||||
|
- openssl fipsinstall -config' 'default.cnf'
|
||||||
|
-
|
||||||
|
-
|
||||||
|
-=head1 SEE ALSO
|
||||||
|
-
|
||||||
|
-L<config(5)>,
|
||||||
|
-L<fips_config(5)>,
|
||||||
|
-L<OSSL_PROVIDER-FIPS(7)>,
|
||||||
|
-L<EVP_MAC(3)>
|
||||||
|
+This command is disabled.
|
||||||
|
+Please consult Red Hat Enterprise Linux documentation to learn how to correctly
|
||||||
|
+enable FIPS mode on Red Hat Enterprise
|
||||||
|
|
||||||
|
=head1 COPYRIGHT
|
||||||
|
|
@ -0,0 +1,26 @@
|
|||||||
|
diff -up openssl-3.0.0/apps/speed.c.beldmit openssl-3.0.0/apps/speed.c
|
||||||
|
--- openssl-3.0.0/apps/speed.c.beldmit 2021-12-21 15:14:04.210431584 +0100
|
||||||
|
+++ openssl-3.0.0/apps/speed.c 2021-12-21 15:46:05.554085125 +0100
|
||||||
|
@@ -547,6 +547,9 @@ static int EVP_MAC_loop(int algindex, vo
|
||||||
|
for (count = 0; COND(c[algindex][testnum]); count++) {
|
||||||
|
size_t outl;
|
||||||
|
|
||||||
|
+ if (mctx == NULL)
|
||||||
|
+ return -1;
|
||||||
|
+
|
||||||
|
if (!EVP_MAC_init(mctx, NULL, 0, NULL)
|
||||||
|
|| !EVP_MAC_update(mctx, buf, lengths[testnum])
|
||||||
|
|| !EVP_MAC_final(mctx, mac, &outl, sizeof(mac)))
|
||||||
|
@@ -1922,8 +1925,10 @@ int speed_main(int argc, char **argv)
|
||||||
|
if (loopargs[i].mctx == NULL)
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
- if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params))
|
||||||
|
- goto end;
|
||||||
|
+ if (!EVP_MAC_CTX_set_params(loopargs[i].mctx, params)) {
|
||||||
|
+ EVP_MAC_CTX_free(loopargs[i].mctx);
|
||||||
|
+ loopargs[i].mctx = NULL;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
for (testnum = 0; testnum < size_num; testnum++) {
|
||||||
|
print_message(names[D_HMAC], c[D_HMAC][testnum], lengths[testnum],
|
@ -0,0 +1,137 @@
|
|||||||
|
diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers/fips/fipsprov.c
|
||||||
|
--- openssl-3.0.0/providers/fips/fipsprov.c.fipsmin 2022-01-12 17:17:42.574377550 +0100
|
||||||
|
+++ openssl-3.0.0/providers/fips/fipsprov.c 2022-01-12 17:19:57.590598279 +0100
|
||||||
|
@@ -37,6 +37,9 @@ static OSSL_FUNC_provider_query_operatio
|
||||||
|
|
||||||
|
#define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK }
|
||||||
|
#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
|
||||||
|
+#define ALGCU(NAMES, FUNC, CHECK) { { NAMES, FIPS_UNAPPROVED_PROPERTIES, FUNC }, CHECK }
|
||||||
|
+#define ALGU(NAMES, FUNC) ALGCU(NAMES, FUNC, NULL)
|
||||||
|
+
|
||||||
|
|
||||||
|
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
|
||||||
|
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
|
||||||
|
@@ -177,13 +177,13 @@ static int fips_get_params(void *provctx
|
||||||
|
&fips_prov_ossl_ctx_method);
|
||||||
|
|
||||||
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME);
|
||||||
|
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider"))
|
||||||
|
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider"))
|
||||||
|
return 0;
|
||||||
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION);
|
||||||
|
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR))
|
||||||
|
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
|
||||||
|
return 0;
|
||||||
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO);
|
||||||
|
- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR))
|
||||||
|
+ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION))
|
||||||
|
return 0;
|
||||||
|
p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
|
||||||
|
if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
|
||||||
|
@@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests
|
||||||
|
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
|
||||||
|
* KMAC128 and KMAC256.
|
||||||
|
*/
|
||||||
|
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
||||||
|
+ { PROV_NAMES_KECCAK_KMAC_128, FIPS_UNAPPROVED_PROPERTIES,
|
||||||
|
ossl_keccak_kmac_128_functions },
|
||||||
|
- { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
|
||||||
|
+ { PROV_NAMES_KECCAK_KMAC_256, FIPS_UNAPPROVED_PROPERTIES,
|
||||||
|
ossl_keccak_kmac_256_functions },
|
||||||
|
{ NULL, NULL, NULL }
|
||||||
|
};
|
||||||
|
@@ -326,8 +329,8 @@ static const OSSL_ALGORITHM_CAPABLE fips
|
||||||
|
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
|
||||||
|
ossl_cipher_capable_aes_cbc_hmac_sha256),
|
||||||
|
#ifndef OPENSSL_NO_DES
|
||||||
|
- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
||||||
|
- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
|
||||||
|
+ ALGU(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
||||||
|
+ ALGU(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
|
||||||
|
#endif /* OPENSSL_NO_DES */
|
||||||
|
{ { NULL, NULL, NULL }, NULL }
|
||||||
|
};
|
||||||
|
@@ -339,8 +342,8 @@ static const OSSL_ALGORITHM fips_macs[]
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
|
||||||
|
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
|
||||||
|
- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
||||||
|
- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
|
||||||
|
+ { PROV_NAMES_KMAC_128, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac128_functions },
|
||||||
|
+ { PROV_NAMES_KMAC_256, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac256_functions },
|
||||||
|
{ NULL, NULL, NULL }
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -375,8 +378,8 @@ static const OSSL_ALGORITHM fips_keyexch
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
|
||||||
|
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
||||||
|
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
|
||||||
|
+ { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keyexch_functions },
|
||||||
|
+ { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keyexch_functions },
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
|
||||||
|
ossl_kdf_tls1_prf_keyexch_functions },
|
||||||
|
@@ -386,12 +389,12 @@ static const OSSL_ALGORITHM fips_keyexch
|
||||||
|
|
||||||
|
static const OSSL_ALGORITHM fips_signature[] = {
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
|
||||||
|
+ { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_signature_functions },
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
|
||||||
|
- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions },
|
||||||
|
+ { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_signature_functions },
|
||||||
|
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
|
||||||
|
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
|
||||||
|
@@ -421,7 +424,7 @@ static const OSSL_ALGORITHM fips_keymgmt
|
||||||
|
PROV_DESCS_DHX },
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
||||||
|
+ { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_keymgmt_functions,
|
||||||
|
PROV_DESCS_DSA },
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
|
||||||
|
@@ -431,13 +434,13 @@ static const OSSL_ALGORITHM fips_keymgmt
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
|
||||||
|
PROV_DESCS_EC },
|
||||||
|
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
||||||
|
+ { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keymgmt_functions,
|
||||||
|
PROV_DESCS_X25519 },
|
||||||
|
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
|
||||||
|
+ { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keymgmt_functions,
|
||||||
|
PROV_DESCS_X448 },
|
||||||
|
- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions,
|
||||||
|
+ { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
|
||||||
|
PROV_DESCS_ED25519 },
|
||||||
|
- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions,
|
||||||
|
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
|
||||||
|
PROV_DESCS_ED448 },
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
|
||||||
|
diff -up openssl-3.0.0/test/acvp_test.c.fipsmin openssl-3.0.0/test/acvp_test.c
|
||||||
|
--- openssl-3.0.0/test/acvp_test.c.fipsmin 2022-01-12 18:34:17.283654119 +0100
|
||||||
|
+++ openssl-3.0.0/test/acvp_test.c 2022-01-12 18:35:46.270430676 +0100
|
||||||
|
@@ -1473,6 +1473,7 @@ int setup_tests(void)
|
||||||
|
OSSL_NELEM(dh_safe_prime_keyver_data));
|
||||||
|
#endif /* OPENSSL_NO_DH */
|
||||||
|
|
||||||
|
+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
|
||||||
|
ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
|
||||||
|
@@ -1480,6 +1481,7 @@ int setup_tests(void)
|
||||||
|
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
|
||||||
|
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
|
||||||
|
#endif /* OPENSSL_NO_DSA */
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
|
@ -0,0 +1,22 @@
|
|||||||
|
diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
|
||||||
|
index 5c70b2d67840..c5726c638bdd 100644
|
||||||
|
--- a/crypto/ec/ecp_s390x_nistp.c
|
||||||
|
+++ b/crypto/ec/ecp_s390x_nistp.c
|
||||||
|
@@ -116,7 +116,7 @@ static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
|
||||||
|
/* Otherwise use default. */
|
||||||
|
if (rc == -1)
|
||||||
|
rc = ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
|
||||||
|
- OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len);
|
||||||
|
+ OPENSSL_cleanse(param, sizeof(param));
|
||||||
|
BN_CTX_end(ctx);
|
||||||
|
BN_CTX_free(new_ctx);
|
||||||
|
return rc;
|
||||||
|
@@ -212,7 +212,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
|
||||||
|
|
||||||
|
ok = 1;
|
||||||
|
ret:
|
||||||
|
- OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len);
|
||||||
|
+ OPENSSL_cleanse(param, sizeof(param));
|
||||||
|
if (ok != 1) {
|
||||||
|
ECDSA_SIG_free(sig);
|
||||||
|
sig = NULL;
|
@ -0,0 +1,39 @@
|
|||||||
|
diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/providers/fips/self_test.c
|
||||||
|
--- openssl-3.0.1/providers/fips/self_test.c.earlykats 2022-01-19 13:10:00.635830783 +0100
|
||||||
|
+++ openssl-3.0.1/providers/fips/self_test.c 2022-01-19 13:11:43.309342656 +0100
|
||||||
|
@@ -362,6 +362,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||||
|
if (ev == NULL)
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
|
||||||
|
+ */
|
||||||
|
+ if (kats_already_passed == 0) {
|
||||||
|
+ if (!SELF_TEST_kats(ev, st->libctx)) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
module_checksum = fips_hmac_container;
|
||||||
|
checksum_len = sizeof(fips_hmac_container);
|
||||||
|
|
||||||
|
@@ -411,18 +421,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||||
|
kats_already_passed = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Only runs the KAT's during installation OR on_demand().
|
||||||
|
- * NOTE: If the installation option 'self_test_onload' is chosen then this
|
||||||
|
- * path will always be run, since kats_already_passed will always be 0.
|
||||||
|
- */
|
||||||
|
- if (on_demand_test || kats_already_passed == 0) {
|
||||||
|
- if (!SELF_TEST_kats(ev, st->libctx)) {
|
||||||
|
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
ok = 1;
|
||||||
|
end:
|
||||||
|
OSSL_SELF_TEST_free(ev);
|
@ -0,0 +1,52 @@
|
|||||||
|
diff -up openssl-3.0.1/apps/s_server.c.handle-records openssl-3.0.1/apps/s_server.c
|
||||||
|
--- openssl-3.0.1/apps/s_server.c.handle-records 2022-02-03 15:26:16.803434943 +0100
|
||||||
|
+++ openssl-3.0.1/apps/s_server.c 2022-02-03 15:34:33.358298697 +0100
|
||||||
|
@@ -2982,7 +2982,9 @@ static int www_body(int s, int stype, in
|
||||||
|
/* Set width for a select call if needed */
|
||||||
|
width = s + 1;
|
||||||
|
|
||||||
|
- buf = app_malloc(bufsize, "server www buffer");
|
||||||
|
+ /* as we use BIO_gets(), and it always null terminates data, we need
|
||||||
|
+ * to allocate 1 byte longer buffer to fit the full 2^14 byte record */
|
||||||
|
+ buf = app_malloc(bufsize + 1, "server www buffer");
|
||||||
|
io = BIO_new(BIO_f_buffer());
|
||||||
|
ssl_bio = BIO_new(BIO_f_ssl());
|
||||||
|
if ((io == NULL) || (ssl_bio == NULL))
|
||||||
|
@@ -3047,7 +3049,7 @@ static int www_body(int s, int stype, in
|
||||||
|
}
|
||||||
|
|
||||||
|
for (;;) {
|
||||||
|
- i = BIO_gets(io, buf, bufsize - 1);
|
||||||
|
+ i = BIO_gets(io, buf, bufsize + 1);
|
||||||
|
if (i < 0) { /* error */
|
||||||
|
if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) {
|
||||||
|
if (!s_quiet)
|
||||||
|
@@ -3112,7 +3114,7 @@ static int www_body(int s, int stype, in
|
||||||
|
* we're expecting to come from the client. If they haven't
|
||||||
|
* sent one there's not much we can do.
|
||||||
|
*/
|
||||||
|
- BIO_gets(io, buf, bufsize - 1);
|
||||||
|
+ BIO_gets(io, buf, bufsize + 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
BIO_puts(io,
|
||||||
|
@@ -3401,7 +3403,9 @@ static int rev_body(int s, int stype, in
|
||||||
|
SSL *con;
|
||||||
|
BIO *io, *ssl_bio, *sbio;
|
||||||
|
|
||||||
|
- buf = app_malloc(bufsize, "server rev buffer");
|
||||||
|
+ /* as we use BIO_gets(), and it always null terminates data, we need
|
||||||
|
+ * to allocate 1 byte longer buffer to fit the full 2^14 byte record */
|
||||||
|
+ buf = app_malloc(bufsize + 1, "server rev buffer");
|
||||||
|
io = BIO_new(BIO_f_buffer());
|
||||||
|
ssl_bio = BIO_new(BIO_f_ssl());
|
||||||
|
if ((io == NULL) || (ssl_bio == NULL))
|
||||||
|
@@ -3476,7 +3480,7 @@ static int rev_body(int s, int stype, in
|
||||||
|
print_ssl_summary(con);
|
||||||
|
|
||||||
|
for (;;) {
|
||||||
|
- i = BIO_gets(io, buf, bufsize - 1);
|
||||||
|
+ i = BIO_gets(io, buf, bufsize + 1);
|
||||||
|
if (i < 0) { /* error */
|
||||||
|
if (!BIO_should_retry(io)) {
|
||||||
|
if (!s_quiet)
|
@ -0,0 +1,489 @@
|
|||||||
|
From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Mon, 21 Feb 2022 17:24:44 +0100
|
||||||
|
Subject: Selectively disallow SHA1 signatures
|
||||||
|
|
||||||
|
For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is
|
||||||
|
disabling SHA1 signatures. Introduce a new configuration option in the
|
||||||
|
alg_section named 'rh-allow-sha1-signatures'. This option defaults to
|
||||||
|
false. If set to false (or unset), any signature creation or
|
||||||
|
verification operations that involve SHA1 as digest will fail.
|
||||||
|
|
||||||
|
This also affects TLS, where the signature_algorithms extension of any
|
||||||
|
ClientHello message sent by OpenSSL will no longer include signatures
|
||||||
|
with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
|
||||||
|
that request a client certificate, the same also applies for
|
||||||
|
CertificateRequest messages sent by them.
|
||||||
|
|
||||||
|
For signatures created using the EVP_PKEY API, this is a best-effort
|
||||||
|
check that will deny signatures in cases where the digest algorithm is
|
||||||
|
known. This means, for example, that that following steps will still
|
||||||
|
work:
|
||||||
|
|
||||||
|
$> openssl dgst -sha1 -binary -out sha1 infile
|
||||||
|
$> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig
|
||||||
|
$> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1
|
||||||
|
|
||||||
|
whereas these will not:
|
||||||
|
|
||||||
|
$> openssl dgst -sha1 -binary -out sha1 infile
|
||||||
|
$> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1
|
||||||
|
$> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1
|
||||||
|
|
||||||
|
This happens because in the first case, OpenSSL's signature
|
||||||
|
implementation does not know that it is signing a SHA1 hash (it could be
|
||||||
|
signing arbitrary data).
|
||||||
|
|
||||||
|
Resolves: rhbz#2031742
|
||||||
|
---
|
||||||
|
crypto/evp/evp_cnf.c | 13 ++++
|
||||||
|
crypto/evp/m_sigver.c | 77 +++++++++++++++++++
|
||||||
|
crypto/evp/pmeth_lib.c | 15 ++++
|
||||||
|
doc/man5/config.pod | 11 +++
|
||||||
|
include/internal/cryptlib.h | 3 +-
|
||||||
|
include/internal/sslconf.h | 4 +
|
||||||
|
providers/common/securitycheck.c | 20 +++++
|
||||||
|
providers/common/securitycheck_default.c | 9 ++-
|
||||||
|
providers/implementations/signature/dsa_sig.c | 11 ++-
|
||||||
|
.../implementations/signature/ecdsa_sig.c | 4 +
|
||||||
|
providers/implementations/signature/rsa_sig.c | 20 ++++-
|
||||||
|
ssl/t1_lib.c | 8 ++
|
||||||
|
util/libcrypto.num | 2 +
|
||||||
|
13 files changed, 188 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
|
||||||
|
index 0e7fe64cf9..b9d3b6d226 100644
|
||||||
|
--- a/crypto/evp/evp_cnf.c
|
||||||
|
+++ b/crypto/evp/evp_cnf.c
|
||||||
|
@@ -10,6 +10,7 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
#include "internal/cryptlib.h"
|
||||||
|
+#include "internal/sslconf.h"
|
||||||
|
#include <openssl/conf.h>
|
||||||
|
#include <openssl/x509.h>
|
||||||
|
#include <openssl/x509v3.h>
|
||||||
|
@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
|
||||||
|
ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) {
|
||||||
|
+ int m;
|
||||||
|
+
|
||||||
|
+ /* Detailed error already reported. */
|
||||||
|
+ if (!X509V3_get_value_bool(oval, &m))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if (!ossl_ctx_legacy_digest_signatures_allowed_set(
|
||||||
|
+ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) {
|
||||||
|
+ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION,
|
||||||
|
"name=%s, value=%s", oval->name, oval->value);
|
||||||
|
diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c
|
||||||
|
index 9188edbc21..db1a1d7bc3 100644
|
||||||
|
--- a/crypto/evp/m_sigver.c
|
||||||
|
+++ b/crypto/evp/m_sigver.c
|
||||||
|
@@ -16,6 +16,71 @@
|
||||||
|
#include "internal/numbers.h" /* includes SIZE_MAX */
|
||||||
|
#include "evp_local.h"
|
||||||
|
|
||||||
|
+typedef struct ossl_legacy_digest_signatures_st {
|
||||||
|
+ int allowed;
|
||||||
|
+} OSSL_LEGACY_DIGEST_SIGNATURES;
|
||||||
|
+
|
||||||
|
+static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs)
|
||||||
|
+{
|
||||||
|
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs;
|
||||||
|
+
|
||||||
|
+ if (ldsigs != NULL) {
|
||||||
|
+ OPENSSL_free(ldsigs);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx)
|
||||||
|
+{
|
||||||
|
+ return OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = {
|
||||||
|
+ OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY,
|
||||||
|
+ ossl_ctx_legacy_digest_signatures_new,
|
||||||
|
+ ossl_ctx_legacy_digest_signatures_free,
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures(
|
||||||
|
+ OSSL_LIB_CTX *libctx, int loadconfig)
|
||||||
|
+{
|
||||||
|
+#ifndef FIPS_MODULE
|
||||||
|
+ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL))
|
||||||
|
+ return 0;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES,
|
||||||
|
+ &ossl_ctx_legacy_digest_signatures_method);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig)
|
||||||
|
+{
|
||||||
|
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
|
||||||
|
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
|
||||||
|
+
|
||||||
|
+#ifndef FIPS_MODULE
|
||||||
|
+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL)
|
||||||
|
+ /* used in tests */
|
||||||
|
+ return 1;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ return ldsigs != NULL ? ldsigs->allowed : 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
|
||||||
|
+ int loadconfig)
|
||||||
|
+{
|
||||||
|
+ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs
|
||||||
|
+ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig);
|
||||||
|
+
|
||||||
|
+ if (ldsigs == NULL) {
|
||||||
|
+ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ldsigs->allowed = allow;
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#ifndef FIPS_MODULE
|
||||||
|
|
||||||
|
static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen)
|
||||||
|
@@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (ctx->reqdigest != NULL
|
||||||
|
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac)
|
||||||
|
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf)
|
||||||
|
+ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) {
|
||||||
|
+ int mdnid = EVP_MD_nid(ctx->reqdigest);
|
||||||
|
+ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0)
|
||||||
|
+ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) {
|
||||||
|
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (ver) {
|
||||||
|
if (signature->digest_verify_init == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
|
||||||
|
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
|
||||||
|
index 2b9c6c2351..3c5a1e6f5d 100644
|
||||||
|
--- a/crypto/evp/pmeth_lib.c
|
||||||
|
+++ b/crypto/evp/pmeth_lib.c
|
||||||
|
@@ -33,6 +33,7 @@
|
||||||
|
#include "internal/ffc.h"
|
||||||
|
#include "internal/numbers.h"
|
||||||
|
#include "internal/provider.h"
|
||||||
|
+#include "internal/sslconf.h"
|
||||||
|
#include "evp_local.h"
|
||||||
|
|
||||||
|
#ifndef FIPS_MODULE
|
||||||
|
@@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md,
|
||||||
|
return -2;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx)
|
||||||
|
+ && md != NULL
|
||||||
|
+ && ctx->pkey != NULL
|
||||||
|
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac)
|
||||||
|
+ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf)
|
||||||
|
+ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) {
|
||||||
|
+ int mdnid = EVP_MD_nid(md);
|
||||||
|
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
||||||
|
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) {
|
||||||
|
+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (fallback)
|
||||||
|
return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md));
|
||||||
|
|
||||||
|
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
||||||
|
index 77a8055e81..aa1be5ca7f 100644
|
||||||
|
--- a/doc/man5/config.pod
|
||||||
|
+++ b/doc/man5/config.pod
|
||||||
|
@@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning:
|
||||||
|
The value may be anything that is acceptable as a property query
|
||||||
|
string for EVP_set_default_properties().
|
||||||
|
|
||||||
|
+=item B<rh-allow-sha1-signatures>
|
||||||
|
+
|
||||||
|
+The value is a boolean that can be B<yes> or B<no>. If the value is not set,
|
||||||
|
+it behaves as if it was set to B<no>.
|
||||||
|
+
|
||||||
|
+When set to B<no>, any attempt to create or verify a signature with a SHA1
|
||||||
|
+digest will fail. For compatibility with older versions of OpenSSL, set this
|
||||||
|
+option to B<yes>. This setting also affects TLS, where signature algorithms
|
||||||
|
+that use SHA1 as digest will no longer be supported if this option is set to
|
||||||
|
+B<no>.
|
||||||
|
+
|
||||||
|
=item B<fips_mode> (deprecated)
|
||||||
|
|
||||||
|
The value is a boolean that can be B<yes> or B<no>. If the value is
|
||||||
|
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
|
||||||
|
index 1291299b6e..e234341e6a 100644
|
||||||
|
--- a/include/internal/cryptlib.h
|
||||||
|
+++ b/include/internal/cryptlib.h
|
||||||
|
@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st {
|
||||||
|
# define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16
|
||||||
|
# define OSSL_LIB_CTX_BIO_CORE_INDEX 17
|
||||||
|
# define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18
|
||||||
|
-# define OSSL_LIB_CTX_MAX_INDEXES 19
|
||||||
|
+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES 19
|
||||||
|
+# define OSSL_LIB_CTX_MAX_INDEXES 20
|
||||||
|
|
||||||
|
# define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1
|
||||||
|
# define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0
|
||||||
|
diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h
|
||||||
|
index fd7f7e3331..05464b0655 100644
|
||||||
|
--- a/include/internal/sslconf.h
|
||||||
|
+++ b/include/internal/sslconf.h
|
||||||
|
@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx);
|
||||||
|
void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr,
|
||||||
|
char **arg);
|
||||||
|
|
||||||
|
+/* Methods to support disabling all signatures with legacy digests */
|
||||||
|
+int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig);
|
||||||
|
+int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow,
|
||||||
|
+ int loadconfig);
|
||||||
|
#endif
|
||||||
|
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
|
||||||
|
index 699ada7c52..e534ad0a5f 100644
|
||||||
|
--- a/providers/common/securitycheck.c
|
||||||
|
+++ b/providers/common/securitycheck.c
|
||||||
|
@@ -19,6 +19,7 @@
|
||||||
|
#include <openssl/core_names.h>
|
||||||
|
#include <openssl/obj_mac.h>
|
||||||
|
#include "prov/securitycheck.h"
|
||||||
|
+#include "internal/sslconf.h"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* FIPS requires a minimum security strength of 112 bits (for encryption or
|
||||||
|
@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||||
|
mdnid = -1; /* disallowed by security checks */
|
||||||
|
}
|
||||||
|
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||||
|
+
|
||||||
|
+#ifndef FIPS_MODULE
|
||||||
|
+ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
||||||
|
+ /* SHA1 is globally disabled, check whether we want to locally allow
|
||||||
|
+ * it. */
|
||||||
|
+ if (mdnid == NID_sha1 && !sha1_allowed)
|
||||||
|
+ mdnid = -1;
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
return mdnid;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md)
|
||||||
|
if (ossl_securitycheck_enabled(ctx))
|
||||||
|
return ossl_digest_get_approved_nid(md) != NID_undef;
|
||||||
|
# endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
|
||||||
|
+
|
||||||
|
+#ifndef FIPS_MODULE
|
||||||
|
+ {
|
||||||
|
+ int mdnid = EVP_MD_nid(md);
|
||||||
|
+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1)
|
||||||
|
+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0))
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
|
||||||
|
index de7f0d3a0a..ce54a94fbc 100644
|
||||||
|
--- a/providers/common/securitycheck_default.c
|
||||||
|
+++ b/providers/common/securitycheck_default.c
|
||||||
|
@@ -15,6 +15,7 @@
|
||||||
|
#include <openssl/obj_mac.h>
|
||||||
|
#include "prov/securitycheck.h"
|
||||||
|
#include "internal/nelem.h"
|
||||||
|
+#include "internal/sslconf.h"
|
||||||
|
|
||||||
|
/* Disable the security checks in the default provider */
|
||||||
|
int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||||
|
@@ -23,9 +24,10 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx)
|
||||||
|
}
|
||||||
|
|
||||||
|
int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||||
|
- ossl_unused int sha1_allowed)
|
||||||
|
+ int sha1_allowed)
|
||||||
|
{
|
||||||
|
int mdnid;
|
||||||
|
+ int ldsigs_allowed;
|
||||||
|
|
||||||
|
static const OSSL_ITEM name_to_nid[] = {
|
||||||
|
{ NID_md5, OSSL_DIGEST_NAME_MD5 },
|
||||||
|
@@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md,
|
||||||
|
{ NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
|
||||||
|
};
|
||||||
|
|
||||||
|
- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1);
|
||||||
|
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0);
|
||||||
|
+ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed);
|
||||||
|
if (mdnid == NID_undef)
|
||||||
|
mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid));
|
||||||
|
+ if (mdnid == NID_md5_sha1 && !ldsigs_allowed)
|
||||||
|
+ mdnid = -1;
|
||||||
|
return mdnid;
|
||||||
|
}
|
||||||
|
diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c
|
||||||
|
index 28fd7c498e..fa3822f39f 100644
|
||||||
|
--- a/providers/implementations/signature/dsa_sig.c
|
||||||
|
+++ b/providers/implementations/signature/dsa_sig.c
|
||||||
|
@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx,
|
||||||
|
mdprops = ctx->propq;
|
||||||
|
|
||||||
|
if (mdname != NULL) {
|
||||||
|
- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||||
|
WPACKET pkt;
|
||||||
|
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||||
|
- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||||
|
- sha1_allowed);
|
||||||
|
+ int md_nid;
|
||||||
|
size_t mdname_len = strlen(mdname);
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
+ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||||
|
+#else
|
||||||
|
+ int sha1_allowed = 0;
|
||||||
|
+#endif
|
||||||
|
+ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||||
|
+ sha1_allowed);
|
||||||
|
|
||||||
|
if (md == NULL || md_nid < 0) {
|
||||||
|
if (md == NULL)
|
||||||
|
diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c
|
||||||
|
index 865d49d100..99b228e82c 100644
|
||||||
|
--- a/providers/implementations/signature/ecdsa_sig.c
|
||||||
|
+++ b/providers/implementations/signature/ecdsa_sig.c
|
||||||
|
@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname,
|
||||||
|
"%s could not be fetched", mdname);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||||
|
+#else
|
||||||
|
+ sha1_allowed = 0;
|
||||||
|
+#endif
|
||||||
|
md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md,
|
||||||
|
sha1_allowed);
|
||||||
|
if (md_nid < 0) {
|
||||||
|
diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c
|
||||||
|
index 325e855333..bea397f0c1 100644
|
||||||
|
--- a/providers/implementations/signature/rsa_sig.c
|
||||||
|
+++ b/providers/implementations/signature/rsa_sig.c
|
||||||
|
@@ -26,6 +26,7 @@
|
||||||
|
#include "internal/cryptlib.h"
|
||||||
|
#include "internal/nelem.h"
|
||||||
|
#include "internal/sizes.h"
|
||||||
|
+#include "internal/sslconf.h"
|
||||||
|
#include "crypto/rsa.h"
|
||||||
|
#include "prov/providercommon.h"
|
||||||
|
#include "prov/implementations.h"
|
||||||
|
@@ -34,6 +35,7 @@
|
||||||
|
#include "prov/securitycheck.h"
|
||||||
|
|
||||||
|
#define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1
|
||||||
|
+#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256
|
||||||
|
|
||||||
|
static OSSL_FUNC_signature_newctx_fn rsa_newctx;
|
||||||
|
static OSSL_FUNC_signature_sign_init_fn rsa_sign_init;
|
||||||
|
@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
|
||||||
|
|
||||||
|
if (mdname != NULL) {
|
||||||
|
EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
|
||||||
|
+ int md_nid;
|
||||||
|
+ size_t mdname_len = strlen(mdname);
|
||||||
|
+#ifdef FIPS_MODULE
|
||||||
|
int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN);
|
||||||
|
- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
||||||
|
+#else
|
||||||
|
+ int sha1_allowed = 0;
|
||||||
|
+#endif
|
||||||
|
+ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md,
|
||||||
|
sha1_allowed);
|
||||||
|
- size_t mdname_len = strlen(mdname);
|
||||||
|
|
||||||
|
if (md == NULL
|
||||||
|
|| md_nid <= 0
|
||||||
|
@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
|
||||||
|
prsactx->pad_mode = pad_mode;
|
||||||
|
|
||||||
|
if (prsactx->md == NULL && pmdname == NULL
|
||||||
|
- && pad_mode == RSA_PKCS1_PSS_PADDING)
|
||||||
|
+ && pad_mode == RSA_PKCS1_PSS_PADDING) {
|
||||||
|
pmdname = RSA_DEFAULT_DIGEST_NAME;
|
||||||
|
+#ifndef FIPS_MODULE
|
||||||
|
+ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) {
|
||||||
|
+ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
|
||||||
|
if (pmgf1mdname != NULL
|
||||||
|
&& !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops))
|
||||||
|
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||||
|
index fc32bb3556..4b74ee1a34 100644
|
||||||
|
--- a/ssl/t1_lib.c
|
||||||
|
+++ b/ssl/t1_lib.c
|
||||||
|
@@ -20,6 +20,7 @@
|
||||||
|
#include <openssl/bn.h>
|
||||||
|
#include <openssl/provider.h>
|
||||||
|
#include <openssl/param_build.h>
|
||||||
|
+#include "internal/sslconf.h"
|
||||||
|
#include "internal/nelem.h"
|
||||||
|
#include "internal/sizes.h"
|
||||||
|
#include "internal/tlsgroups.h"
|
||||||
|
@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
||||||
|
= OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl));
|
||||||
|
EVP_PKEY *tmpkey = EVP_PKEY_new();
|
||||||
|
int ret = 0;
|
||||||
|
+ int ldsigs_allowed;
|
||||||
|
|
||||||
|
if (cache == NULL || tmpkey == NULL)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
ERR_set_mark();
|
||||||
|
+ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0);
|
||||||
|
for (i = 0, lu = sigalg_lookup_tbl;
|
||||||
|
i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) {
|
||||||
|
EVP_PKEY_CTX *pctx;
|
||||||
|
@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx)
|
||||||
|
cache[i].enabled = 0;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
+ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1)
|
||||||
|
+ && !ldsigs_allowed) {
|
||||||
|
+ cache[i].enabled = 0;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (!EVP_PKEY_set_type(tmpkey, lu->sig)) {
|
||||||
|
cache[i].enabled = 0;
|
||||||
|
diff --git a/util/libcrypto.num b/util/libcrypto.num
|
||||||
|
index 10b4e57d79..2d3c363bb0 100644
|
||||||
|
--- a/util/libcrypto.num
|
||||||
|
+++ b/util/libcrypto.num
|
||||||
|
@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
|
||||||
|
EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
|
||||||
|
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
||||||
|
ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||||
|
+ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION:
|
||||||
|
+ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION:
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -0,0 +1,95 @@
|
|||||||
|
diff -up openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips openssl-3.0.1/crypto/pkcs12/p12_key.c
|
||||||
|
--- openssl-3.0.1/crypto/pkcs12/p12_key.c.pkc12_fips 2022-02-21 12:35:24.829893907 +0100
|
||||||
|
+++ openssl-3.0.1/crypto/pkcs12/p12_key.c 2022-02-21 13:01:22.711622967 +0100
|
||||||
|
@@ -85,17 +85,41 @@ int PKCS12_key_gen_uni_ex(unsigned char
|
||||||
|
EVP_KDF *kdf;
|
||||||
|
EVP_KDF_CTX *ctx;
|
||||||
|
OSSL_PARAM params[6], *p = params;
|
||||||
|
+ char *adjusted_propq = NULL;
|
||||||
|
|
||||||
|
if (n <= 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
- kdf = EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
|
||||||
|
- if (kdf == NULL)
|
||||||
|
+ if (ossl_get_kernel_fips_flag()) {
|
||||||
|
+ const char *nofips = "-fips";
|
||||||
|
+ size_t len = propq ? strlen(propq) + 1 + strlen(nofips) + 1 :
|
||||||
|
+ strlen(nofips) + 1;
|
||||||
|
+ char *ptr = NULL;
|
||||||
|
+
|
||||||
|
+ adjusted_propq = OPENSSL_zalloc(len);
|
||||||
|
+ if (adjusted_propq != NULL) {
|
||||||
|
+ ptr = adjusted_propq;
|
||||||
|
+ if (propq) {
|
||||||
|
+ memcpy(ptr, propq, strlen(propq));
|
||||||
|
+ ptr += strlen(propq);
|
||||||
|
+ *ptr = ',';
|
||||||
|
+ ptr++;
|
||||||
|
+ }
|
||||||
|
+ memcpy(ptr, nofips, strlen(nofips));
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ kdf = adjusted_propq ? EVP_KDF_fetch(libctx, "PKCS12KDF", adjusted_propq) : EVP_KDF_fetch(libctx, "PKCS12KDF", propq);
|
||||||
|
+ if (kdf == NULL) {
|
||||||
|
+ OPENSSL_free(adjusted_propq);
|
||||||
|
return 0;
|
||||||
|
+ }
|
||||||
|
ctx = EVP_KDF_CTX_new(kdf);
|
||||||
|
EVP_KDF_free(kdf);
|
||||||
|
- if (ctx == NULL)
|
||||||
|
+ if (ctx == NULL) {
|
||||||
|
+ OPENSSL_free(adjusted_propq);
|
||||||
|
return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
|
||||||
|
(char *)EVP_MD_get0_name(md_type),
|
||||||
|
@@ -127,6 +149,7 @@ int PKCS12_key_gen_uni_ex(unsigned char
|
||||||
|
} OSSL_TRACE_END(PKCS12_KEYGEN);
|
||||||
|
}
|
||||||
|
EVP_KDF_CTX_free(ctx);
|
||||||
|
+ OPENSSL_free(adjusted_propq);
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps openssl-3.0.1/apps/pkcs12.c
|
||||||
|
--- openssl-3.0.1/apps/pkcs12.c.pkc12_fips_apps 2022-02-21 16:37:07.908923682 +0100
|
||||||
|
+++ openssl-3.0.1/apps/pkcs12.c 2022-02-21 17:38:44.555345633 +0100
|
||||||
|
@@ -765,15 +765,34 @@ int pkcs12_main(int argc, char **argv)
|
||||||
|
}
|
||||||
|
if (macver) {
|
||||||
|
EVP_KDF *pkcs12kdf;
|
||||||
|
+ char *adjusted_propq = NULL;
|
||||||
|
+ const char *nofips = "-fips";
|
||||||
|
+ size_t len = app_get0_propq() ? strlen(app_get0_propq()) + 1 + strlen(nofips) + 1 :
|
||||||
|
+ strlen(nofips) + 1;
|
||||||
|
+ char *ptr = NULL;
|
||||||
|
+
|
||||||
|
+ adjusted_propq = OPENSSL_zalloc(len);
|
||||||
|
+ if (adjusted_propq != NULL) {
|
||||||
|
+ ptr = adjusted_propq;
|
||||||
|
+ if (app_get0_propq()) {
|
||||||
|
+ memcpy(ptr, app_get0_propq(), strlen(app_get0_propq()));
|
||||||
|
+ ptr += strlen(app_get0_propq());
|
||||||
|
+ *ptr = ',';
|
||||||
|
+ ptr++;
|
||||||
|
+ }
|
||||||
|
+ memcpy(ptr, nofips, strlen(nofips));
|
||||||
|
+ }
|
||||||
|
|
||||||
|
pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
|
||||||
|
- app_get0_propq());
|
||||||
|
+ adjusted_propq ? adjusted_propq : app_get0_propq());
|
||||||
|
if (pkcs12kdf == NULL) {
|
||||||
|
BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
|
||||||
|
BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
|
||||||
|
+ OPENSSL_free(adjusted_propq);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
EVP_KDF_free(pkcs12kdf);
|
||||||
|
+ OPENSSL_free(adjusted_propq);
|
||||||
|
/* If we enter empty password try no password first */
|
||||||
|
if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
|
||||||
|
/* If mac and crypto pass the same set it to NULL too */
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,51 @@
|
|||||||
|
From 1c6d5f6162a46bcde94e8ae9eaa0c41da1d7faa3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Tue, 1 Mar 2022 15:44:18 +0100
|
||||||
|
Subject: [PATCH] Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
|
||||||
|
|
||||||
|
References: rhbz#2055796
|
||||||
|
---
|
||||||
|
doc/man5/config.pod | 7 ++++++-
|
||||||
|
ssl/t1_lib.c | 8 ++++++++
|
||||||
|
2 files changed, 14 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
|
||||||
|
index aa1be5ca7f..aa69e2b844 100644
|
||||||
|
--- a/doc/man5/config.pod
|
||||||
|
+++ b/doc/man5/config.pod
|
||||||
|
@@ -305,7 +305,12 @@ When set to B<no>, any attempt to create or verify a signature with a SHA1
|
||||||
|
digest will fail. For compatibility with older versions of OpenSSL, set this
|
||||||
|
option to B<yes>. This setting also affects TLS, where signature algorithms
|
||||||
|
that use SHA1 as digest will no longer be supported if this option is set to
|
||||||
|
-B<no>.
|
||||||
|
+B<no>. Note that enabling B<rh-allow-sha1-signatures> will allow TLS signature
|
||||||
|
+algorithms that use SHA1 in security level 2, despite the definition of
|
||||||
|
+security level 2 of 112 bits of security, which SHA1 does not meet. Because
|
||||||
|
+TLS 1.1 or lower use MD5-SHA1 as pseudorandom function (PRF) to derive key
|
||||||
|
+material, disabling B<rh-allow-sha1-signatures> requires the use of TLS 1.2 or
|
||||||
|
+newer.
|
||||||
|
|
||||||
|
=item B<fips_mode> (deprecated)
|
||||||
|
|
||||||
|
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
||||||
|
index 4b74ee1a34..724ded67ba 100644
|
||||||
|
--- a/ssl/t1_lib.c
|
||||||
|
+++ b/ssl/t1_lib.c
|
||||||
|
@@ -2106,6 +2106,14 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (lu->hash == NID_sha1
|
||||||
|
+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0)
|
||||||
|
+ && SSL_get_security_level(s) < 3) {
|
||||||
|
+ /* when rh-allow-sha1-signatures = yes and security level <= 2,
|
||||||
|
+ * explicitly allow SHA1 for backwards compatibility */
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Finally see if security callback allows it */
|
||||||
|
secbits = sigalg_security_bits(s->ctx, lu);
|
||||||
|
sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -0,0 +1,188 @@
|
|||||||
|
From 23f1773ddf92979006d0f438523f3c73320c384f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Mon, 28 Feb 2022 18:26:30 +0100
|
||||||
|
Subject: [PATCH] Add documentation of BN_mod_sqrt()
|
||||||
|
|
||||||
|
---
|
||||||
|
doc/man3/BN_add.pod | 15 +++++++++++++--
|
||||||
|
util/missingcrypto.txt | 1 -
|
||||||
|
2 files changed, 13 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
|
||||||
|
index 62d3ee7205..cf6c49c0e3 100644
|
||||||
|
--- a/doc/man3/BN_add.pod
|
||||||
|
+++ b/doc/man3/BN_add.pod
|
||||||
|
@@ -3,7 +3,7 @@
|
||||||
|
=head1 NAME
|
||||||
|
|
||||||
|
BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
|
||||||
|
-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
|
||||||
|
+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
|
||||||
|
arithmetic operations on BIGNUMs
|
||||||
|
|
||||||
|
=head1 SYNOPSIS
|
||||||
|
@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
|
||||||
|
|
||||||
|
int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
|
||||||
|
|
||||||
|
+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
|
||||||
|
+
|
||||||
|
int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
|
||||||
|
|
||||||
|
int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
|
||||||
|
@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
|
||||||
|
BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
|
||||||
|
result in I<r>.
|
||||||
|
|
||||||
|
+BN_mod_sqrt() returns the modular square root of I<a> such that
|
||||||
|
+C<in^2 = a (mod p)>. The modulus I<p> must be a
|
||||||
|
+prime, otherwise an error or an incorrect "result" will be returned.
|
||||||
|
+The result is stored into I<in> which can be NULL. The result will be
|
||||||
|
+newly allocated in that case.
|
||||||
|
+
|
||||||
|
BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
|
||||||
|
(C<r=a^p>). This function is faster than repeated applications of
|
||||||
|
BN_mul().
|
||||||
|
@@ -108,7 +116,10 @@ the arguments.
|
||||||
|
|
||||||
|
=head1 RETURN VALUES
|
||||||
|
|
||||||
|
-For all functions, 1 is returned for success, 0 on error. The return
|
||||||
|
+The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
|
||||||
|
+not a prime), or NULL.
|
||||||
|
+
|
||||||
|
+For all remaining functions, 1 is returned for success, 0 on error. The return
|
||||||
|
value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
|
||||||
|
The error codes can be obtained by L<ERR_get_error(3)>.
|
||||||
|
|
||||||
|
diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt
|
||||||
|
index b61bdeb880..4d2fd7f6b7 100644
|
||||||
|
--- a/util/missingcrypto.txt
|
||||||
|
+++ b/util/missingcrypto.txt
|
||||||
|
@@ -264,7 +264,6 @@ BN_mod_lshift(3)
|
||||||
|
BN_mod_lshift1(3)
|
||||||
|
BN_mod_lshift1_quick(3)
|
||||||
|
BN_mod_lshift_quick(3)
|
||||||
|
-BN_mod_sqrt(3)
|
||||||
|
BN_mod_sub_quick(3)
|
||||||
|
BN_nist_mod_192(3)
|
||||||
|
BN_nist_mod_224(3)
|
||||||
|
|
||||||
|
From 46673310c9a755b2a56f53d115854983d6ada11a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Mon, 28 Feb 2022 18:26:35 +0100
|
||||||
|
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
|
||||||
|
|
||||||
|
---
|
||||||
|
test/bntest.c | 11 ++++++++++-
|
||||||
|
test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
|
||||||
|
2 files changed, 22 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/test/bntest.c b/test/bntest.c
|
||||||
|
index efdb3ef963..d49f87373a 100644
|
||||||
|
--- a/test/bntest.c
|
||||||
|
+++ b/test/bntest.c
|
||||||
|
@@ -1732,8 +1732,17 @@ static int file_modsqrt(STANZA *s)
|
||||||
|
|| !TEST_ptr(ret2 = BN_new()))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
+ if (BN_is_negative(mod_sqrt)) {
|
||||||
|
+ /* A negative testcase */
|
||||||
|
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ st = 1;
|
||||||
|
+ goto err;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* There are two possible answers. */
|
||||||
|
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
|
||||||
|
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|
||||||
|
|| !TEST_true(BN_sub(ret2, p, ret)))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
|
||||||
|
index e22d656091..bc8a434ea5 100644
|
||||||
|
--- a/test/recipes/10-test_bn_data/bnmod.txt
|
||||||
|
+++ b/test/recipes/10-test_bn_data/bnmod.txt
|
||||||
|
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
||||||
|
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
|
||||||
|
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
|
||||||
|
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
||||||
|
+
|
||||||
|
+# Negative testcases for BN_mod_sqrt()
|
||||||
|
+
|
||||||
|
+# This one triggers an infinite loop with unfixed implementation
|
||||||
|
+# It should just fail.
|
||||||
|
+ModSqrt = -1
|
||||||
|
+A = 20a7ee
|
||||||
|
+P = 460201
|
||||||
|
+
|
||||||
|
+ModSqrt = -1
|
||||||
|
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
|
||||||
|
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
|
||||||
|
|
||||||
|
From cafcc62d7719dea73f334c9ef763d1e215fcd94d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tomas@openssl.org>
|
||||||
|
Date: Mon, 28 Feb 2022 18:26:21 +0100
|
||||||
|
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
|
||||||
|
|
||||||
|
The calculation in some cases does not finish for non-prime p.
|
||||||
|
|
||||||
|
This fixes CVE-2022-0778.
|
||||||
|
|
||||||
|
Based on patch by David Benjamin <davidben@google.com>.
|
||||||
|
---
|
||||||
|
crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
|
||||||
|
1 file changed, 18 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
|
||||||
|
index b663ae5ec5..c5ea7ab194 100644
|
||||||
|
--- a/crypto/bn/bn_sqrt.c
|
||||||
|
+++ b/crypto/bn/bn_sqrt.c
|
||||||
|
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||||
|
/*
|
||||||
|
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
|
||||||
|
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
|
||||||
|
- * Theory", algorithm 1.5.1). 'p' must be prime!
|
||||||
|
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
|
||||||
|
+ * an incorrect "result" will be returned.
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
BIGNUM *ret = in;
|
||||||
|
@@ -303,18 +304,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||||
|
goto vrfy;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* find smallest i such that b^(2^i) = 1 */
|
||||||
|
- i = 1;
|
||||||
|
- if (!BN_mod_sqr(t, b, p, ctx))
|
||||||
|
- goto end;
|
||||||
|
- while (!BN_is_one(t)) {
|
||||||
|
- i++;
|
||||||
|
- if (i == e) {
|
||||||
|
- ERR_raise(ERR_LIB_BN, BN_R_NOT_A_SQUARE);
|
||||||
|
- goto end;
|
||||||
|
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
|
||||||
|
+ for (i = 1; i < e; i++) {
|
||||||
|
+ if (i == 1) {
|
||||||
|
+ if (!BN_mod_sqr(t, b, p, ctx))
|
||||||
|
+ goto end;
|
||||||
|
+
|
||||||
|
+ } else {
|
||||||
|
+ if (!BN_mod_mul(t, t, t, p, ctx))
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
- if (!BN_mod_mul(t, t, t, p, ctx))
|
||||||
|
- goto end;
|
||||||
|
+ if (BN_is_one(t))
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ /* If not found, a is not a square or p is not prime. */
|
||||||
|
+ if (i >= e) {
|
||||||
|
+ ERR_raise(ERR_LIB_BN, BN_R_NOT_A_SQUARE);
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* t := y^2^(e - i - 1) */
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up openssl-3.0.0/apps/s_client.c.coverity openssl-3.0.0/apps/s_client.c
|
|
||||||
--- openssl-3.0.0/apps/s_client.c.coverity 2021-10-07 16:59:37.938432118 +0200
|
|
||||||
+++ openssl-3.0.0/apps/s_client.c 2021-10-07 17:00:52.994075755 +0200
|
|
||||||
@@ -3040,6 +3040,8 @@ int s_client_main(int argc, char **argv)
|
|
||||||
#endif
|
|
||||||
OPENSSL_free(connectstr);
|
|
||||||
OPENSSL_free(bindstr);
|
|
||||||
+ OPENSSL_free(bindhost);
|
|
||||||
+ OPENSSL_free(bindport);
|
|
||||||
OPENSSL_free(host);
|
|
||||||
OPENSSL_free(port);
|
|
||||||
OPENSSL_free(thost);
|
|
@ -0,0 +1,11 @@
|
|||||||
|
# https://one.redhat.com/rhel-developer-guide/#_modifying_a_per_package_rpminspect_yaml_file
|
||||||
|
# https://github.com/rpminspect/rpminspect/blob/master/data/generic.yaml
|
||||||
|
badfuncs:
|
||||||
|
# Optional list of glob(7) specifications to match files to ignore
|
||||||
|
# for this inspection. The format of this list is the same as the
|
||||||
|
# global 'ignore' list. The difference is the items specified
|
||||||
|
# here will only be used during this inspection.
|
||||||
|
# XXX we should have an option to ignore only one func, gethostbyname, but currently we don't
|
||||||
|
ignore:
|
||||||
|
- /usr/lib*/libcrypto.so*
|
||||||
|
|
@ -1 +1 @@
|
|||||||
SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27
|
SHA512 (openssl-3.0.1-hobbled.tar.xz) = 8819d02a6961c2398d0fb4003f25a322f752254b5c3440cd3e9456df5c56dadbc8a1aa6f821f176941293d67771304b3a565b3b8ce7a3ac0b7ad221da97c4dfe
|
||||||
|
Loading…
Reference in new issue