From 45ebb7fdc228d3984726ecbf5656880386df8550 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 6 Sep 2019 17:02:18 +0200 Subject: [PATCH 1/8] upstream fix for status request extension non-compliance (#1737471) --- openssl-1.1.1-status-request.patch | 36 ++++++++++++++++++++++++++++++ openssl.spec | 3 +++ 2 files changed, 39 insertions(+) create mode 100644 openssl-1.1.1-status-request.patch diff --git a/openssl-1.1.1-status-request.patch b/openssl-1.1.1-status-request.patch new file mode 100644 index 0000000..3f92cd5 --- /dev/null +++ b/openssl-1.1.1-status-request.patch @@ -0,0 +1,36 @@ +From 93e26cedac20844733d59f33e313880da17fa23a Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 5 Sep 2019 16:43:57 +0100 +Subject: [PATCH 1/2] Don't send a status_request extension in a + CertificateRequest message + +If a TLSv1.3 server configured to respond to the status_request extension +also attempted to send a CertificateRequest then it was incorrectly +inserting a non zero length status_request extension into that message. + +The TLSv1.3 RFC does allow that extension in that message but it must +always be zero length. + +In fact we should not be sending the extension at all in that message +because we don't support it. + +Fixes #9767 +--- + ssl/statem/extensions_srvr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index e16722cbeb8..1c023fc6c40 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -1491,6 +1491,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, + unsigned int context, X509 *x, + size_t chainidx) + { ++ /* We don't currently support this extension inside a CertificateRequest */ ++ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) ++ return EXT_RETURN_NOT_SENT; ++ + if (!s->ext.status_expected) + return EXT_RETURN_NOT_SENT; + diff --git a/openssl.spec b/openssl.spec index fbd2b87..19af11a 100644 --- a/openssl.spec +++ b/openssl.spec @@ -454,6 +454,9 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Fri Sep 6 2019 Tomáš Mráz 1.1.1c-6 +- upstream fix for status request extension non-compliance (#1737471) + * Thu Jul 25 2019 Fedora Release Engineering - 1:1.1.1c-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild From c44b3f96fe9fad86122cb6bffb47edc8100fcdc1 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 6 Sep 2019 17:18:46 +0200 Subject: [PATCH 2/8] Bump release correctly --- openssl.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssl.spec b/openssl.spec index 19af11a..0670bd8 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1c -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. From f6a62c4c2ca8d8156e978be92921ad45ee05b8ad Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 13 Sep 2019 17:25:44 +0200 Subject: [PATCH 3/8] update to the 1.1.1d release --- .gitignore | 1 + ec_curve.c | 114 +++- ectest.c | 444 +++++++++++- openssl-1.1.0-no-html.patch | 12 - openssl-1.1.1-evp-kdf.patch | 336 +++++---- openssl-1.1.1-fips-crng-test.patch | 61 +- openssl-1.1.1-fips-post-rand.patch | 96 ++- openssl-1.1.1-fips.patch | 972 +++++++++++---------------- openssl-1.1.1-no-brainpool.patch | 54 +- openssl-1.1.1-no-html.patch | 12 + openssl-1.1.1-upstream-sync.patch | 661 ++++-------------- openssl-1.1.1-version-override.patch | 12 +- openssl.spec | 9 +- sources | 2 +- 14 files changed, 1386 insertions(+), 1400 deletions(-) delete mode 100644 openssl-1.1.0-no-html.patch create mode 100644 openssl-1.1.1-no-html.patch diff --git a/.gitignore b/.gitignore index a3a6054..f5aac5a 100644 --- a/.gitignore +++ b/.gitignore @@ -44,3 +44,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-1.1.1a-hobbled.tar.xz /openssl-1.1.1b-hobbled.tar.xz /openssl-1.1.1c-hobbled.tar.xz +/openssl-1.1.1d-hobbled.tar.xz diff --git a/ec_curve.c b/ec_curve.c index 58f8f3f..342765a 100644 --- a/ec_curve.c +++ b/ec_curve.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -468,3 +468,115 @@ int EC_curve_nist2nid(const char *name) } return NID_undef; } + +#define NUM_BN_FIELDS 6 +/* + * Validates EC domain parameter data for known named curves. + * This can be used when a curve is loaded explicitly (without a curve + * name) or to validate that domain parameters have not been modified. + * + * Returns: The nid associated with the found named curve, or NID_undef + * if not found. If there was an error it returns -1. + */ +int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx) +{ + int ret = -1, nid, len, field_type, param_len; + size_t i, seed_len; + const unsigned char *seed, *params_seed, *params; + unsigned char *param_bytes = NULL; + const EC_CURVE_DATA *data; + const EC_POINT *generator = NULL; + const EC_METHOD *meth; + const BIGNUM *cofactor = NULL; + /* An array of BIGNUMs for (p, a, b, x, y, order) */ + BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL}; + + meth = EC_GROUP_method_of(group); + if (meth == NULL) + return -1; + /* Use the optional named curve nid as a search field */ + nid = EC_GROUP_get_curve_name(group); + field_type = EC_METHOD_get_field_type(meth); + seed_len = EC_GROUP_get_seed_len(group); + seed = EC_GROUP_get0_seed(group); + cofactor = EC_GROUP_get0_cofactor(group); + + BN_CTX_start(ctx); + + /* + * The built-in curves contains data fields (p, a, b, x, y, order) that are + * all zero-padded to be the same size. The size of the padding is + * determined by either the number of bytes in the field modulus (p) or the + * EC group order, whichever is larger. + */ + param_len = BN_num_bytes(group->order); + len = BN_num_bytes(group->field); + if (len > param_len) + param_len = len; + + /* Allocate space to store the padded data for (p, a, b, x, y, order) */ + param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS); + if (param_bytes == NULL) + goto end; + + /* Create the bignums */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if ((bn[i] = BN_CTX_get(ctx)) == NULL) + goto end; + } + /* + * Fill in the bn array with the same values as the internal curves + * i.e. the values are p, a, b, x, y, order. + */ + /* Get p, a & b */ + if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx) + && ((generator = EC_GROUP_get0_generator(group)) != NULL) + /* Get x & y */ + && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx) + /* Get order */ + && EC_GROUP_get_order(group, bn[5], ctx))) + goto end; + + /* + * Convert the bignum array to bytes that are joined together to form + * a single buffer that contains data for all fields. + * (p, a, b, x, y, order) are all zero padded to be the same size. + */ + for (i = 0; i < NUM_BN_FIELDS; ++i) { + if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0) + goto end; + } + + for (i = 0; i < curve_list_length; i++) { + const ec_list_element curve = curve_list[i]; + + data = curve.data; + /* Get the raw order byte data */ + params_seed = (const unsigned char *)(data + 1); /* skip header */ + params = params_seed + data->seed_len; + + /* Look for unique fields in the fixed curve data */ + if (data->field_type == field_type + && param_len == data->param_len + && (nid <= 0 || nid == curve.nid) + /* check the optional cofactor (ignore if its zero) */ + && (BN_is_zero(cofactor) + || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor)) + /* Check the optional seed (ignore if its not set) */ + && (data->seed_len == 0 || seed_len == 0 + || ((size_t)data->seed_len == seed_len + && memcmp(params_seed, seed, seed_len) == 0)) + /* Check that the groups params match the built-in curve params */ + && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS) + == 0) { + ret = curve.nid; + goto end; + } + } + /* Gets here if the group was not found */ + ret = NID_undef; +end: + OPENSSL_free(param_bytes); + BN_CTX_end(ctx); + return ret; +} diff --git a/ectest.c b/ectest.c index 53adf88..ef4e6b9 100644 --- a/ectest.c +++ b/ectest.c @@ -844,6 +844,271 @@ static const unsigned char p521_explicit[] = { 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01, }; +/* + * Sometime we cannot compare nids for equality, as the built-in curve table + * includes aliases with different names for the same curve. + * + * This function returns TRUE (1) if the checked nids are identical, or if they + * alias to the same curve. FALSE (0) otherwise. + */ +static ossl_inline +int are_ec_nids_compatible(int n1d, int n2d) +{ + int ret = 0; + switch (n1d) { +# ifndef OPENSSL_NO_EC2M + case NID_sect113r1: + case NID_wap_wsg_idm_ecid_wtls4: + ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4); + break; + case NID_sect163k1: + case NID_wap_wsg_idm_ecid_wtls3: + ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3); + break; + case NID_sect233k1: + case NID_wap_wsg_idm_ecid_wtls10: + ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10); + break; + case NID_sect233r1: + case NID_wap_wsg_idm_ecid_wtls11: + ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11); + break; + case NID_X9_62_c2pnb163v1: + case NID_wap_wsg_idm_ecid_wtls5: + ret = (n2d == NID_X9_62_c2pnb163v1 + || n2d == NID_wap_wsg_idm_ecid_wtls5); + break; +# endif /* OPENSSL_NO_EC2M */ + case NID_secp112r1: + case NID_wap_wsg_idm_ecid_wtls6: + ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6); + break; + case NID_secp160r2: + case NID_wap_wsg_idm_ecid_wtls7: + ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7); + break; +# ifdef OPENSSL_NO_EC_NISTP_64_GCC_128 + case NID_secp224r1: + case NID_wap_wsg_idm_ecid_wtls12: + ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12); + break; +# else + /* + * For SEC P-224 we want to ensure that the SECP nid is returned, as + * that is associated with a specialized method. + */ + case NID_wap_wsg_idm_ecid_wtls12: + ret = (n2d == NID_secp224r1); + break; +# endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ + + default: + ret = (n1d == n2d); + } + return ret; +} + +/* + * This checks that EC_GROUP_bew_from_ecparameters() returns a "named" + * EC_GROUP for built-in curves. + * + * Note that it is possible to retrieve an alternative alias that does not match + * the original nid. + * + * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. + */ +static int check_named_curve_from_ecparameters(int id) +{ + int ret = 0, nid, tnid; + EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL; + const EC_POINT *group_gen = NULL; + EC_POINT *other_gen = NULL; + BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; + BIGNUM *other_gen_x = NULL, *other_gen_y = NULL; + const BIGNUM *group_order = NULL; + BIGNUM *other_order = NULL; + BN_CTX *bn_ctx = NULL; + static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; + static size_t invalid_seed_len = sizeof(invalid_seed); + ECPARAMETERS *params = NULL, *other_params = NULL; + EC_GROUP *g_ary[8] = {NULL}; + EC_GROUP **g_next = &g_ary[0]; + ECPARAMETERS *p_ary[8] = {NULL}; + ECPARAMETERS **p_next = &p_ary[0]; + + /* Do some setup */ + nid = curves[id].nid; + TEST_note("Curve %s", OBJ_nid2sn(nid)); + if (!TEST_ptr(bn_ctx = BN_CTX_new())) + return ret; + BN_CTX_start(bn_ctx); + + if (/* Allocations */ + !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_order = BN_CTX_get(bn_ctx)) + || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx)) + /* Generate reference group and params */ + || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) + || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL)) + || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) + || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) + || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) + /* compute `other_*` values */ + || !TEST_ptr(tmpg = EC_GROUP_dup(group)) + || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) + || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) + || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen, + other_gen_x, other_gen_y, bn_ctx)) + || !TEST_true(BN_copy(other_order, group_order)) + || !TEST_true(BN_add_word(other_order, 1)) + || !TEST_true(BN_copy(other_cofactor, group_cofactor)) + || !TEST_true(BN_add_word(other_cofactor, 1))) + goto err; + + EC_POINT_free(other_gen); + other_gen = NULL; + + if (!TEST_ptr(other_gen = EC_POINT_new(tmpg)) + || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen, + other_gen_x, other_gen_y, + bn_ctx))) + goto err; + + /* + * ########################### + * # Actual tests start here # + * ########################### + */ + + /* + * Creating a group from built-in explicit parameters returns a + * "named" EC_GROUP + */ + if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)) + goto err; + /* + * We cannot always guarantee the names match, as the built-in table + * contains aliases for the same curve with different names. + */ + if (!TEST_true(are_ec_nids_compatible(nid, tnid))) { + TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); + goto err; + } + /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */ + if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE)) + goto err; + + /* + * An invalid seed in the parameters should be ignored: expect a "named" + * group. + */ + if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len), + invalid_seed_len) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE)) { + TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); + goto err; + } + + /* + * A null seed in the parameters should be ignored, as it is optional: + * expect a "named" group. + */ + if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE)) { + TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); + goto err; + } + + /* + * Check that changing any of the generator parameters does not yield a + * match with the built-in curves + */ + if (/* Other gen, same group order & cofactor */ + !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order, + group_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + /* Same gen & cofactor, different order */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order, + group_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + /* The order is not an optional field, so this should fail */ + || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL, + group_cofactor)) + /* Check that a wrong cofactor is ignored, and we still match */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, + other_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE) + /* Check that if the cofactor is not set then it still matches */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, + NULL)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE) + /* check that restoring the generator passes */ + || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, + group_cofactor)) + || !TEST_ptr(other_params = *p_next++ = + EC_GROUP_get_ecparameters(tmpg, NULL)) + || !TEST_ptr(tgroup = *g_next++ = + EC_GROUP_new_from_ecparameters(other_params)) + || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) + || !TEST_true(are_ec_nids_compatible(nid, tnid)) + || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), + OPENSSL_EC_EXPLICIT_CURVE)) + goto err; + + ret = 1; +err: + for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++) + EC_GROUP_free(*g_next); + for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++) + ECPARAMETERS_free(*p_next); + ECPARAMETERS_free(params); + EC_POINT_free(other_gen); + EC_GROUP_free(tmpg); + EC_GROUP_free(group); + BN_CTX_end(bn_ctx); + BN_CTX_free(bn_ctx); + return ret; +} + static int parameter_test(void) { EC_GROUP *group = NULL, *group2 = NULL; @@ -886,6 +1151,179 @@ err: OPENSSL_free(buf); return r; } + +/*- + * random 256-bit explicit parameters curve, cofactor absent + * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit) + * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit) + */ +static const unsigned char params_cf_pass[] = { + 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5, + 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, + 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, + 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5, + 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, + 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, + 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc, + 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27, + 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23, + 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77, + 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b, + 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4, + 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9, + 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a, + 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c, + 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96, + 0x14, 0xa8, 0x2f, 0x4f +}; + +/*- + * random 256-bit explicit parameters curve, cofactor absent + * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit) + * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit) + */ +static const unsigned char params_cf_fail[] = { + 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37, + 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, + 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, + 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37, + 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, + 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, + 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09, + 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d, + 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02, + 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59, + 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11, + 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24, + 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70, + 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73, + 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04, + 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e, + 0x34, 0xa2, 0x21, 0x01 +}; + +/*- + * Test two random 256-bit explicit parameters curves with absent cofactor. + * The two curves are chosen to roughly straddle the bounds at which the lib + * can compute the cofactor automatically, roughly 4*sqrt(p). So test that: + * + * - params_cf_pass: order is sufficiently close to p to compute cofactor + * - params_cf_fail: order is too far away from p to compute cofactor + * + * For standards-compliant curves, cofactor is chosen as small as possible. + * So you can see neither of these curves are fit for cryptographic use. + * + * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2: + * h <= 2**(t/8) where t is the security level of the curve, for which the lib + * will always succeed in computing the cofactor. Neither of these curves + * conform to that -- this is just robustness testing. + */ +static int cofactor_range_test(void) +{ + EC_GROUP *group = NULL; + BIGNUM *cf = NULL; + int ret = 0; + const unsigned char *b1 = (const unsigned char *)params_cf_fail; + const unsigned char *b2 = (const unsigned char *)params_cf_pass; + + if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail))) + || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group)) + || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2, + sizeof(params_cf_pass))) + || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0) + || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group))) + goto err; + ret = 1; + err: + BN_free(cf); + EC_GROUP_free(group); + return ret; +} + +/*- + * For named curves, test that: + * - the lib correctly computes the cofactor if passed a NULL or zero cofactor + * - a nonsensical cofactor throws an error (negative test) + * - nonsensical orders throw errors (negative tests) + */ +static int cardinality_test(int n) +{ + int ret = 0; + int nid = curves[n].nid; + BN_CTX *ctx = NULL; + EC_GROUP *g1 = NULL, *g2 = NULL; + EC_POINT *g2_gen = NULL; + BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL, + *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL; + + TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid)); + + if (!TEST_ptr(ctx = BN_CTX_new()) + || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid)) + || !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) { + EC_GROUP_free(g1); + EC_GROUP_free(g2); + BN_CTX_free(ctx); + return 0; + } + + BN_CTX_start(ctx); + g1_p = BN_CTX_get(ctx); + g1_a = BN_CTX_get(ctx); + g1_b = BN_CTX_get(ctx); + g1_x = BN_CTX_get(ctx); + g1_y = BN_CTX_get(ctx); + g1_order = BN_CTX_get(ctx); + g1_cf = BN_CTX_get(ctx); + + if (!TEST_ptr(g2_cf = BN_CTX_get(ctx)) + /* pull out the explicit curve parameters */ + || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx)) + || !TEST_true(EC_POINT_get_affine_coordinates(g1, + EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx)) + || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1))) + || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx)) + /* construct g2 manually with g1 parameters */ + || !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx)) + || !TEST_ptr(g2_gen = EC_POINT_new(g2)) + || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx)) + /* pass NULL cofactor: lib should compute it */ + || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) + || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) + || !TEST_BN_eq(g1_cf, g2_cf) + /* pass zero cofactor: lib should compute it */ + || !TEST_true(BN_set_word(g2_cf, 0)) + || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) + || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) + || !TEST_BN_eq(g1_cf, g2_cf) + /* negative test for invalid cofactor */ + || !TEST_true(BN_set_word(g2_cf, 0)) + || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) + /* negative test for NULL order */ + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL)) + /* negative test for zero order */ + || !TEST_true(BN_set_word(g1_order, 0)) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) + /* negative test for negative order */ + || !TEST_true(BN_set_word(g2_cf, 0)) + || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) + /* negative test for too large order */ + || !TEST_true(BN_lshift(g1_order, g1_p, 2)) + || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))) + goto err; + ret = 1; + err: + EC_POINT_free(g2_gen); + EC_GROUP_free(g1); + EC_GROUP_free(g2); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return ret; +} #endif int setup_tests(void) @@ -897,6 +1335,8 @@ int setup_tests(void) return 0; ADD_TEST(parameter_test); + ADD_TEST(cofactor_range_test); + ADD_ALL_TESTS(cardinality_test, crv_len); ADD_TEST(prime_field_tests); # ifndef OPENSSL_NO_EC2M ADD_TEST(char2_field_tests); @@ -908,7 +1348,9 @@ int setup_tests(void) # endif ADD_ALL_TESTS(internal_curve_test, crv_len); ADD_ALL_TESTS(internal_curve_test_method, crv_len); -#endif + + ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); +#endif /* OPENSSL_NO_EC */ return 1; } diff --git a/openssl-1.1.0-no-html.patch b/openssl-1.1.0-no-html.patch deleted file mode 100644 index f6a941e..0000000 --- a/openssl-1.1.0-no-html.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl ---- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200 -+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200 -@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi - - uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev - --install_docs: install_man_docs install_html_docs -+install_docs: install_man_docs - - uninstall_docs: uninstall_man_docs uninstall_html_docs - $(RM) -r -v $(DESTDIR)$(DOCDIR) diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch index 6a73a61..b25dffb 100644 --- a/openssl-1.1.1-evp-kdf.patch +++ b/openssl-1.1.1-evp-kdf.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err/openssl.txt ---- openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/err/openssl.txt 2019-02-28 13:05:05.651521474 +0100 -@@ -743,6 +743,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn +diff -up openssl-1.1.1d/crypto/err/openssl.txt.evp-kdf openssl-1.1.1d/crypto/err/openssl.txt +--- openssl-1.1.1d/crypto/err/openssl.txt.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/err/openssl.txt 2019-09-13 15:45:01.723001323 +0200 +@@ -747,6 +747,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate @@ -11,7 +11,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex EVP_F_EVP_MD_SIZE:162:EVP_MD_size EVP_F_EVP_OPENINIT:102:EVP_OpenInit -@@ -805,11 +808,30 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k +@@ -809,12 +812,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen @@ -19,6 +19,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err EVP_F_PKEY_SET_TYPE:158:pkey_set_type EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth EVP_F_RC5_CTRL:125:rc5_ctrl + EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl +EVP_F_SCRYPT_ALG:228:scrypt_alg EVP_F_UPDATE:173:update @@ -42,7 +43,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init -@@ -821,6 +843,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc +@@ -826,6 +848,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init @@ -50,7 +51,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid -@@ -2264,6 +2287,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on +@@ -2273,6 +2296,7 @@ EVP_R_ONLY_ONESHOT_SUPPORTED:177:only on EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\ operation not supported for this keytype EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized @@ -58,7 +59,7 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers EVP_R_PBKDF2_ERROR:181:pbkdf2 error EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\ -@@ -2299,6 +2323,7 @@ KDF_R_MISSING_SEED:106:missing seed +@@ -2309,6 +2333,7 @@ KDF_R_MISSING_SEED:106:missing seed KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type KDF_R_VALUE_ERROR:108:value error KDF_R_VALUE_MISSING:102:value missing @@ -66,9 +67,9 @@ diff -up openssl-1.1.1b/crypto/err/openssl.txt.evp-kdf openssl-1.1.1b/crypto/err OBJ_R_OID_EXISTS:102:oid exists OBJ_R_UNKNOWN_NID:101:unknown nid OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error -diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/build.info ---- openssl-1.1.1b/crypto/evp/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/build.info 2019-02-28 13:05:05.651521474 +0100 +diff -up openssl-1.1.1d/crypto/evp/build.info.evp-kdf openssl-1.1.1d/crypto/evp/build.info +--- openssl-1.1.1d/crypto/evp/build.info.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/build.info 2019-09-13 15:39:20.268982830 +0200 @@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\ p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \ bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ @@ -79,9 +80,9 @@ diff -up openssl-1.1.1b/crypto/evp/build.info.evp-kdf openssl-1.1.1b/crypto/evp/ e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \ e_chacha20_poly1305.c cmeth_lib.c -diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c ---- openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c 2019-02-28 13:05:05.651521474 +0100 +diff -up openssl-1.1.1d/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1d/crypto/evp/e_chacha20_poly1305.c +--- openssl-1.1.1d/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/e_chacha20_poly1305.c 2019-09-13 15:39:20.268982830 +0200 @@ -14,8 +14,8 @@ # include @@ -92,9 +93,9 @@ diff -up openssl-1.1.1b/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1b/ # include "internal/chacha.h" typedef struct { -diff -up openssl-1.1.1b/crypto/evp/encode.c.evp-kdf openssl-1.1.1b/crypto/evp/encode.c ---- openssl-1.1.1b/crypto/evp/encode.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/encode.c 2019-02-28 13:05:05.651521474 +0100 +diff -up openssl-1.1.1d/crypto/evp/encode.c.evp-kdf openssl-1.1.1d/crypto/evp/encode.c +--- openssl-1.1.1d/crypto/evp/encode.c.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/encode.c 2019-09-13 15:39:20.268982830 +0200 @@ -11,8 +11,8 @@ #include #include "internal/cryptlib.h" @@ -105,18 +106,10 @@ diff -up openssl-1.1.1b/crypto/evp/encode.c.evp-kdf openssl-1.1.1b/crypto/evp/en static unsigned char conv_ascii2bin(unsigned char a, const unsigned char *table); -diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_err.c ---- openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf 2019-02-28 13:05:05.617522103 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-02-28 13:05:05.651521474 +0100 -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -56,6 +56,9 @@ static const ERR_STRING_DATA EVP_str_fun +diff -up openssl-1.1.1d/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1d/crypto/evp/evp_err.c +--- openssl-1.1.1d/crypto/evp/evp_err.c.evp-kdf 2019-09-13 15:39:20.226983569 +0200 ++++ openssl-1.1.1d/crypto/evp/evp_err.c 2019-09-13 15:44:00.070076961 +0200 +@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0), "EVP_EncryptFinal_ex"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"}, @@ -126,7 +119,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_CTX_COPY_EX, 0), "EVP_MD_CTX_copy_ex"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_SIZE, 0), "EVP_MD_size"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_OPENINIT, 0), "EVP_OpenInit"}, -@@ -147,10 +150,12 @@ static const ERR_STRING_DATA EVP_str_fun +@@ -151,12 +154,14 @@ static const ERR_STRING_DATA EVP_str_fun "PKCS5_v2_PBKDF2_keyivgen"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0), "PKCS5_v2_scrypt_keyivgen"}, @@ -134,12 +127,14 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0), + "r_32_12_16_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"}, {0, NULL} }; -@@ -233,6 +238,8 @@ static const ERR_STRING_DATA EVP_str_rea +@@ -240,6 +245,8 @@ static const ERR_STRING_DATA EVP_str_rea "operation not supported for this keytype"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"}, @@ -148,9 +143,9 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1b/crypto/evp/e {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), "partially overlapping buffers"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"}, -diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/evp_locl.h ---- openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf 2019-02-28 13:05:05.253528831 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_locl.h 2019-02-28 13:05:05.652521456 +0100 +diff -up openssl-1.1.1d/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1d/crypto/evp/evp_locl.h +--- openssl-1.1.1d/crypto/evp/evp_locl.h.evp-kdf 2019-09-13 15:39:19.820990718 +0200 ++++ openssl-1.1.1d/crypto/evp/evp_locl.h 2019-09-13 15:39:24.144914578 +0200 @@ -41,6 +41,11 @@ struct evp_cipher_ctx_st { unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ } /* EVP_CIPHER_CTX */ ; @@ -163,9 +158,9 @@ diff -up openssl-1.1.1b/crypto/evp/evp_locl.h.evp-kdf openssl-1.1.1b/crypto/evp/ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, -diff -up openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1b/crypto/evp/evp_pbe.c ---- openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_pbe.c 2019-02-28 13:05:05.652521456 +0100 +diff -up openssl-1.1.1d/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1d/crypto/evp/evp_pbe.c +--- openssl-1.1.1d/crypto/evp/evp_pbe.c.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/evp_pbe.c 2019-09-13 15:39:24.145914561 +0200 @@ -12,6 +12,7 @@ #include #include @@ -174,9 +169,9 @@ diff -up openssl-1.1.1b/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1b/crypto/evp/e #include "evp_locl.h" /* Password based encryption (PBE) functions */ -diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/kdf_lib.c ---- openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf 2019-02-28 13:05:05.652521456 +0100 -+++ openssl-1.1.1b/crypto/evp/kdf_lib.c 2019-02-28 13:05:05.652521456 +0100 +diff -up openssl-1.1.1d/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1d/crypto/evp/kdf_lib.c +--- openssl-1.1.1d/crypto/evp/kdf_lib.c.evp-kdf 2019-09-13 15:39:24.146914543 +0200 ++++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-09-13 15:39:24.146914543 +0200 @@ -0,0 +1,165 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -343,9 +338,9 @@ diff -up openssl-1.1.1b/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1b/crypto/evp/k + return ctx->kmeth->derive(ctx->impl, key, keylen); +} + -diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/p5_crpt2.c ---- openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/p5_crpt2.c 2019-02-28 13:05:05.652521456 +0100 +diff -up openssl-1.1.1d/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1d/crypto/evp/p5_crpt2.c +--- openssl-1.1.1d/crypto/evp/p5_crpt2.c.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/p5_crpt2.c 2019-09-13 15:39:24.147914525 +0200 @@ -1,5 +1,5 @@ /* - * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. @@ -494,9 +489,9 @@ diff -up openssl-1.1.1b/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1b/crypto/evp/ } int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, -diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/evp/pbe_scrypt.c ---- openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/pbe_scrypt.c 2019-02-28 13:33:18.446264056 +0100 +diff -up openssl-1.1.1d/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1d/crypto/evp/pbe_scrypt.c +--- openssl-1.1.1d/crypto/evp/pbe_scrypt.c.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/pbe_scrypt.c 2019-09-13 15:39:24.150914473 +0200 @@ -7,135 +7,12 @@ * https://www.openssl.org/source/license.html */ @@ -682,9 +677,11 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev - */ - if (Blen > INT_MAX) { - EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -- return 0; -- } -- ++ if (r > UINT32_MAX || p > UINT32_MAX) { ++ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE); + return 0; + } + - /* - * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t - * This is combined size V, X and T (section 4) @@ -692,21 +689,18 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev - i = UINT64_MAX / (32 * sizeof(uint32_t)); - if (N + 2 > i / r) { - EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -+ if (r > UINT32_MAX || p > UINT32_MAX) { -+ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE); - return 0; - } -- Vlen = 32 * r * (N + 2) * sizeof(uint32_t); - -- /* check total allocated size fits in uint64_t */ -- if (Blen > UINT64_MAX - Vlen) { -- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); - return 0; + /* Maintain existing behaviour. */ + if (pass == NULL) { + pass = empty; + passlen = 0; -+ } + } +- Vlen = 32 * r * (N + 2) * sizeof(uint32_t); +- +- /* check total allocated size fits in uint64_t */ +- if (Blen > UINT64_MAX - Vlen) { +- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); +- return 0; + if (salt == NULL) { + salt = (const unsigned char *)empty; + saltlen = 0; @@ -768,9 +762,9 @@ diff -up openssl-1.1.1b/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1b/crypto/ev } + #endif -diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/pkey_kdf.c ---- openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf 2019-02-28 13:05:05.653521437 +0100 -+++ openssl-1.1.1b/crypto/evp/pkey_kdf.c 2019-02-28 13:05:05.653521437 +0100 +diff -up openssl-1.1.1d/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1d/crypto/evp/pkey_kdf.c +--- openssl-1.1.1d/crypto/evp/pkey_kdf.c.evp-kdf 2019-09-13 15:39:24.154914402 +0200 ++++ openssl-1.1.1d/crypto/evp/pkey_kdf.c 2019-09-13 15:39:24.154914402 +0200 @@ -0,0 +1,255 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1027,9 +1021,9 @@ diff -up openssl-1.1.1b/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1b/crypto/evp/ + pkey_kdf_ctrl_str +}; + -diff -up openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf openssl-1.1.1b/crypto/include/internal/evp_int.h ---- openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf 2019-02-28 13:05:05.304527888 +0100 -+++ openssl-1.1.1b/crypto/include/internal/evp_int.h 2019-02-28 13:05:05.653521437 +0100 +diff -up openssl-1.1.1d/crypto/include/internal/evp_int.h.evp-kdf openssl-1.1.1d/crypto/include/internal/evp_int.h +--- openssl-1.1.1d/crypto/include/internal/evp_int.h.evp-kdf 2019-09-13 15:39:19.873989785 +0200 ++++ openssl-1.1.1d/crypto/include/internal/evp_int.h 2019-09-13 15:39:24.155914384 +0200 @@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m extern const EVP_PKEY_METHOD poly1305_pkey_meth; extern const EVP_PKEY_METHOD siphash_pkey_meth; @@ -1055,17 +1049,17 @@ diff -up openssl-1.1.1b/crypto/include/internal/evp_int.h.evp-kdf openssl-1.1.1b struct evp_md_st { int type; int pkey_type; -diff -up openssl-1.1.1b/crypto/kdf/build.info.evp-kdf openssl-1.1.1b/crypto/kdf/build.info ---- openssl-1.1.1b/crypto/kdf/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/kdf/build.info 2019-02-28 13:05:05.653521437 +0100 +diff -up openssl-1.1.1d/crypto/kdf/build.info.evp-kdf openssl-1.1.1d/crypto/kdf/build.info +--- openssl-1.1.1d/crypto/kdf/build.info.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/kdf/build.info 2019-09-13 15:39:24.156914367 +0200 @@ -1,3 +1,3 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - tls1_prf.c kdf_err.c hkdf.c scrypt.c + tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c -diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf.c ---- openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/kdf/hkdf.c 2019-02-28 13:05:05.653521437 +0100 +diff -up openssl-1.1.1d/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1d/crypto/kdf/hkdf.c +--- openssl-1.1.1d/crypto/kdf/hkdf.c.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/kdf/hkdf.c 2019-09-13 15:39:24.158914332 +0200 @@ -8,32 +8,33 @@ */ @@ -1532,9 +1526,9 @@ diff -up openssl-1.1.1b/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1b/crypto/kdf/hkdf err: OPENSSL_cleanse(prev, sizeof(prev)); -diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_err.c ---- openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/kdf/kdf_err.c 2019-02-28 13:05:05.654521419 +0100 +diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1d/crypto/kdf/kdf_err.c +--- openssl-1.1.1d/crypto/kdf/kdf_err.c.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-09-13 15:39:24.159914314 +0200 @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT @@ -1590,9 +1584,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1b/crypto/kdf/k {0, NULL} }; -diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_local.h ---- openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf 2019-02-28 13:05:05.654521419 +0100 -+++ openssl-1.1.1b/crypto/kdf/kdf_local.h 2019-02-28 13:05:05.654521419 +0100 +diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1d/crypto/kdf/kdf_local.h +--- openssl-1.1.1d/crypto/kdf/kdf_local.h.evp-kdf 2019-09-13 15:39:24.160914297 +0200 ++++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-09-13 15:39:24.160914297 +0200 @@ -0,0 +1,22 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1616,9 +1610,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1b/crypto/kdf + int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), + int cmd, const char *md_name); + -diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/kdf_util.c ---- openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf 2019-02-28 13:05:05.654521419 +0100 -+++ openssl-1.1.1b/crypto/kdf/kdf_util.c 2019-02-28 13:05:05.654521419 +0100 +diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1d/crypto/kdf/kdf_util.c +--- openssl-1.1.1d/crypto/kdf/kdf_util.c.evp-kdf 2019-09-13 15:39:24.161914279 +0200 ++++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-09-13 15:39:24.160914297 +0200 @@ -0,0 +1,73 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1693,9 +1687,9 @@ diff -up openssl-1.1.1b/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1b/crypto/kdf/ + return call_ctrl(ctrl, impl, cmd, md); +} + -diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pbkdf2.c ---- openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf 2019-02-28 13:05:05.654521419 +0100 -+++ openssl-1.1.1b/crypto/kdf/pbkdf2.c 2019-02-28 13:05:05.654521419 +0100 +diff -up openssl-1.1.1d/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1d/crypto/kdf/pbkdf2.c +--- openssl-1.1.1d/crypto/kdf/pbkdf2.c.evp-kdf 2019-09-13 15:39:24.162914261 +0200 ++++ openssl-1.1.1d/crypto/kdf/pbkdf2.c 2019-09-13 15:39:24.162914261 +0200 @@ -0,0 +1,264 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -1961,9 +1955,9 @@ diff -up openssl-1.1.1b/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1b/crypto/kdf/pb + HMAC_CTX_free(hctx_tpl); + return ret; +} -diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/scrypt.c ---- openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/kdf/scrypt.c 2019-02-28 13:05:05.655521400 +0100 +diff -up openssl-1.1.1d/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1d/crypto/kdf/scrypt.c +--- openssl-1.1.1d/crypto/kdf/scrypt.c.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/kdf/scrypt.c 2019-09-13 15:39:24.164914226 +0200 @@ -8,25 +8,34 @@ */ @@ -2552,9 +2546,9 @@ diff -up openssl-1.1.1b/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1b/crypto/kdf/sc +} #endif -diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/tls1_prf.c ---- openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/kdf/tls1_prf.c 2019-02-28 13:05:05.655521400 +0100 +diff -up openssl-1.1.1d/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1d/crypto/kdf/tls1_prf.c +--- openssl-1.1.1d/crypto/kdf/tls1_prf.c.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/kdf/tls1_prf.c 2019-09-13 15:39:24.167914173 +0200 @@ -8,11 +8,15 @@ */ @@ -2838,9 +2832,9 @@ diff -up openssl-1.1.1b/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1b/crypto/kdf/ OPENSSL_clear_free(tmp, olen); return 0; } -diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod ---- openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100 -+++ openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod 2019-02-28 13:05:05.655521400 +0100 +diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod +--- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2019-09-13 15:39:24.169914138 +0200 ++++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-09-13 15:39:24.169914138 +0200 @@ -0,0 +1,217 @@ +=pod + @@ -3059,9 +3053,9 @@ diff -up openssl-1.1.1b/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1b/doc/man3 +L. + +=cut -diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod ---- openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100 -+++ openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod 2019-02-28 13:05:05.656521382 +0100 +diff -up openssl-1.1.1d/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1d/doc/man7/EVP_KDF_HKDF.pod +--- openssl-1.1.1d/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2019-09-13 15:39:24.171914103 +0200 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_HKDF.pod 2019-09-13 15:39:24.171914103 +0200 @@ -0,0 +1,180 @@ +=pod + @@ -3243,9 +3237,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1b/doc/man +L. + +=cut -diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod ---- openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100 -+++ openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod 2019-02-28 13:05:05.656521382 +0100 +diff -up openssl-1.1.1d/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1d/doc/man7/EVP_KDF_PBKDF2.pod +--- openssl-1.1.1d/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2019-09-13 15:39:24.172914085 +0200 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_PBKDF2.pod 2019-09-13 15:39:24.172914085 +0200 @@ -0,0 +1,78 @@ +=pod + @@ -3325,9 +3319,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1b/doc/m +L. + +=cut -diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod ---- openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100 -+++ openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod 2019-02-28 13:05:05.656521382 +0100 +diff -up openssl-1.1.1d/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1d/doc/man7/EVP_KDF_SCRYPT.pod +--- openssl-1.1.1d/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2019-09-13 15:39:24.173914068 +0200 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_SCRYPT.pod 2019-09-13 15:39:24.173914068 +0200 @@ -0,0 +1,149 @@ +=pod + @@ -3478,9 +3472,9 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1b/doc/m +L. + +=cut -diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod ---- openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2019-02-28 13:05:05.656521382 +0100 -+++ openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod 2019-02-28 13:05:05.656521382 +0100 +diff -up openssl-1.1.1d/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1d/doc/man7/EVP_KDF_TLS1_PRF.pod +--- openssl-1.1.1d/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2019-09-13 15:39:24.174914050 +0200 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_TLS1_PRF.pod 2019-09-13 15:39:24.174914050 +0200 @@ -0,0 +1,142 @@ +=pod + @@ -3624,18 +3618,10 @@ diff -up openssl-1.1.1b/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1b/doc +L. + +=cut -diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/openssl/evperr.h ---- openssl-1.1.1b/include/openssl/evperr.h.evp-kdf 2019-02-28 13:05:05.633521807 +0100 -+++ openssl-1.1.1b/include/openssl/evperr.h 2019-02-28 13:05:05.657521363 +0100 -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -51,6 +51,9 @@ int ERR_load_EVP_strings(void); +diff -up openssl-1.1.1d/include/openssl/evperr.h.evp-kdf openssl-1.1.1d/include/openssl/evperr.h +--- openssl-1.1.1d/include/openssl/evperr.h.evp-kdf 2019-09-13 15:39:20.242983287 +0200 ++++ openssl-1.1.1d/include/openssl/evperr.h 2019-09-13 15:42:42.818424742 +0200 +@@ -58,6 +58,9 @@ int ERR_load_EVP_strings(void); # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 # define EVP_F_EVP_ENCRYPTFINAL_EX 127 # define EVP_F_EVP_ENCRYPTUPDATE 167 @@ -3645,7 +3631,7 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/ # define EVP_F_EVP_MD_CTX_COPY_EX 110 # define EVP_F_EVP_MD_SIZE 162 # define EVP_F_EVP_OPENINIT 102 -@@ -113,10 +116,12 @@ int ERR_load_EVP_strings(void); +@@ -120,11 +123,13 @@ int ERR_load_EVP_strings(void); # define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118 # define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164 # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180 @@ -3653,12 +3639,13 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/ # define EVP_F_PKEY_SET_TYPE 158 # define EVP_F_RC2_MAGIC_TO_METH 109 # define EVP_F_RC5_CTRL 125 + # define EVP_F_R_32_12_16_INIT_KEY 242 # define EVP_F_S390X_AES_GCM_CTRL 201 +# define EVP_F_SCRYPT_ALG 228 # define EVP_F_UPDATE 173 /* -@@ -171,6 +176,7 @@ int ERR_load_EVP_strings(void); +@@ -180,6 +185,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 # define EVP_R_OPERATON_NOT_INITIALIZED 151 @@ -3666,18 +3653,10 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.evp-kdf openssl-1.1.1b/include/ # define EVP_R_PARTIALLY_OVERLAPPING 162 # define EVP_R_PBKDF2_ERROR 181 # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179 -diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/openssl/kdferr.h ---- openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/kdferr.h 2019-02-28 13:05:05.657521363 +0100 -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -19,6 +19,23 @@ int ERR_load_KDF_strings(void); +diff -up openssl-1.1.1d/include/openssl/kdferr.h.evp-kdf openssl-1.1.1d/include/openssl/kdferr.h +--- openssl-1.1.1d/include/openssl/kdferr.h.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/kdferr.h 2019-09-13 15:39:34.856725957 +0200 +@@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void); /* * KDF function codes. */ @@ -3701,7 +3680,7 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/ # define KDF_F_PKEY_HKDF_CTRL_STR 103 # define KDF_F_PKEY_HKDF_DERIVE 102 # define KDF_F_PKEY_HKDF_INIT 108 -@@ -30,6 +47,7 @@ int ERR_load_KDF_strings(void); +@@ -34,6 +51,7 @@ int ERR_load_KDF_strings(void); # define KDF_F_PKEY_TLS1_PRF_CTRL_STR 100 # define KDF_F_PKEY_TLS1_PRF_DERIVE 101 # define KDF_F_PKEY_TLS1_PRF_INIT 110 @@ -3709,16 +3688,16 @@ diff -up openssl-1.1.1b/include/openssl/kdferr.h.evp-kdf openssl-1.1.1b/include/ # define KDF_F_TLS1_PRF_ALG 111 /* -@@ -47,5 +65,6 @@ int ERR_load_KDF_strings(void); +@@ -51,5 +69,6 @@ int ERR_load_KDF_strings(void); # define KDF_R_UNKNOWN_PARAMETER_TYPE 103 # define KDF_R_VALUE_ERROR 108 # define KDF_R_VALUE_MISSING 102 +# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112 #endif -diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/openssl/kdf.h ---- openssl-1.1.1b/include/openssl/kdf.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/kdf.h 2019-02-28 13:05:05.657521363 +0100 +diff -up openssl-1.1.1d/include/openssl/kdf.h.evp-kdf openssl-1.1.1d/include/openssl/kdf.h +--- openssl-1.1.1d/include/openssl/kdf.h.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/kdf.h 2019-09-13 15:39:34.857725939 +0200 @@ -10,10 +10,50 @@ #ifndef HEADER_KDF_H # define HEADER_KDF_H @@ -3797,9 +3776,9 @@ diff -up openssl-1.1.1b/include/openssl/kdf.h.evp-kdf openssl-1.1.1b/include/ope } # endif #endif -diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/include/openssl/ossl_typ.h ---- openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/ossl_typ.h 2019-02-28 13:05:05.657521363 +0100 +diff -up openssl-1.1.1d/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1d/include/openssl/ossl_typ.h +--- openssl-1.1.1d/include/openssl/ossl_typ.h.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/ossl_typ.h 2019-09-13 15:39:34.858725922 +0200 @@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E typedef struct evp_pkey_method_st EVP_PKEY_METHOD; typedef struct evp_pkey_ctx_st EVP_PKEY_CTX; @@ -3809,10 +3788,10 @@ diff -up openssl-1.1.1b/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1b/includ typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX; typedef struct hmac_ctx_st HMAC_CTX; -diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info ---- openssl-1.1.1b/test/build.info.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/build.info 2019-02-28 13:05:05.657521363 +0100 -@@ -43,7 +43,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I +diff -up openssl-1.1.1d/test/build.info.evp-kdf openssl-1.1.1d/test/build.info +--- openssl-1.1.1d/test/build.info.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/build.info 2019-09-13 15:39:34.861725869 +0200 +@@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ bio_callback_test bio_memleak_test \ bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \ @@ -3822,7 +3801,7 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info asn1_encode_test asn1_decode_test asn1_string_table_test \ x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \ recordlentest drbgtest sslbuffertest \ -@@ -335,6 +336,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I +@@ -336,6 +337,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I INCLUDE[pkey_meth_kdf_test]=../include DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a @@ -3833,9 +3812,9 @@ diff -up openssl-1.1.1b/test/build.info.evp-kdf openssl-1.1.1b/test/build.info SOURCE[x509_time_test]=x509_time_test.c INCLUDE[x509_time_test]=../include DEPEND[x509_time_test]=../libcrypto libtestutil.a -diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_test.c ---- openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf 2019-02-28 13:05:05.658521345 +0100 -+++ openssl-1.1.1b/test/evp_kdf_test.c 2019-02-28 13:05:05.658521345 +0100 +diff -up openssl-1.1.1d/test/evp_kdf_test.c.evp-kdf openssl-1.1.1d/test/evp_kdf_test.c +--- openssl-1.1.1d/test/evp_kdf_test.c.evp-kdf 2019-09-13 15:39:34.862725851 +0200 ++++ openssl-1.1.1d/test/evp_kdf_test.c 2019-09-13 15:39:34.862725851 +0200 @@ -0,0 +1,237 @@ +/* + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. @@ -4074,10 +4053,10 @@ diff -up openssl-1.1.1b/test/evp_kdf_test.c.evp-kdf openssl-1.1.1b/test/evp_kdf_ +#endif + return 1; +} -diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c ---- openssl-1.1.1b/test/evp_test.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/evp_test.c 2019-02-28 13:05:05.658521345 +0100 -@@ -1672,13 +1672,14 @@ static const EVP_TEST_METHOD encode_test +diff -up openssl-1.1.1d/test/evp_test.c.evp-kdf openssl-1.1.1d/test/evp_test.c +--- openssl-1.1.1d/test/evp_test.c.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/evp_test.c 2019-09-13 15:39:34.865725798 +0200 +@@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test encode_test_run, }; @@ -4093,7 +4072,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c /* Expected output */ unsigned char *output; size_t output_len; -@@ -1705,16 +1706,11 @@ static int kdf_test_init(EVP_TEST *t, co +@@ -1738,16 +1739,11 @@ static int kdf_test_init(EVP_TEST *t, co if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata)))) return 0; @@ -4111,7 +4090,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c t->data = kdata; return 1; } -@@ -1723,7 +1719,42 @@ static void kdf_test_cleanup(EVP_TEST *t +@@ -1756,7 +1752,42 @@ static void kdf_test_cleanup(EVP_TEST *t { KDF_DATA *kdata = t->data; OPENSSL_free(kdata->output); @@ -4155,7 +4134,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c } static int kdf_test_parse(EVP_TEST *t, -@@ -1734,7 +1765,7 @@ static int kdf_test_parse(EVP_TEST *t, +@@ -1767,7 +1798,7 @@ static int kdf_test_parse(EVP_TEST *t, if (strcmp(keyword, "Output") == 0) return parse_bin(value, &kdata->output, &kdata->output_len); if (strncmp(keyword, "Ctrl", 4) == 0) @@ -4164,7 +4143,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c return 0; } -@@ -1748,7 +1779,7 @@ static int kdf_test_run(EVP_TEST *t) +@@ -1781,7 +1812,7 @@ static int kdf_test_run(EVP_TEST *t) t->err = "INTERNAL_ERROR"; goto err; } @@ -4173,7 +4152,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c t->err = "KDF_DERIVE_ERROR"; goto err; } -@@ -1774,6 +1805,106 @@ static const EVP_TEST_METHOD kdf_test_me +@@ -1807,6 +1838,106 @@ static const EVP_TEST_METHOD kdf_test_me /** @@ -4280,7 +4259,7 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c *** KEYPAIR TESTS **/ -@@ -2277,6 +2408,7 @@ static const EVP_TEST_METHOD *evp_test_l +@@ -2310,6 +2441,7 @@ static const EVP_TEST_METHOD *evp_test_l &digestverify_test_method, &encode_test_method, &kdf_test_method, @@ -4288,9 +4267,9 @@ diff -up openssl-1.1.1b/test/evp_test.c.evp-kdf openssl-1.1.1b/test/evp_test.c &keypair_test_method, &keygen_test_method, &mac_test_method, -diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pkey_meth_kdf_test.c ---- openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/pkey_meth_kdf_test.c 2019-02-28 13:05:05.658521345 +0100 +diff -up openssl-1.1.1d/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1d/test/pkey_meth_kdf_test.c +--- openssl-1.1.1d/test/pkey_meth_kdf_test.c.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/pkey_meth_kdf_test.c 2019-09-13 15:39:34.867725763 +0200 @@ -1,5 +1,5 @@ /* - * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. @@ -4494,9 +4473,9 @@ diff -up openssl-1.1.1b/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1b/test/pk } #endif -diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt ---- openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt 2019-02-28 13:05:05.659521326 +0100 +diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt +--- openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt 2019-09-13 15:39:34.870725710 +0200 @@ -1,5 +1,5 @@ # -# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. @@ -4895,9 +4874,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl +Ctrl.digest = digest:sha512 +Output = 00ef42cdbfc98d29db20976608e455567fdddf14 + -diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt ---- openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2019-02-28 13:05:05.659521326 +0100 -+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt 2019-02-28 13:05:05.659521326 +0100 +diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey_kdf.txt +--- openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2019-09-13 15:39:34.873725658 +0200 ++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey_kdf.txt 2019-09-13 15:39:34.872725675 +0200 @@ -0,0 +1,305 @@ +# +# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. @@ -5204,9 +5183,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf op +Ctrl.p = p:1 +Result = INTERNAL_ERROR + -diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/test/recipes/30-test_evp_kdf.t ---- openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf 2019-02-28 13:05:05.659521326 +0100 -+++ openssl-1.1.1b/test/recipes/30-test_evp_kdf.t 2019-02-28 13:05:05.659521326 +0100 +diff -up openssl-1.1.1d/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1d/test/recipes/30-test_evp_kdf.t +--- openssl-1.1.1d/test/recipes/30-test_evp_kdf.t.evp-kdf 2019-09-13 15:39:34.875725622 +0200 ++++ openssl-1.1.1d/test/recipes/30-test_evp_kdf.t 2019-09-13 15:39:34.875725622 +0200 @@ -0,0 +1,13 @@ +#! /usr/bin/env perl +# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. @@ -5221,9 +5200,9 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1b/te +use OpenSSL::Test::Simple; + +simple_test("test_evp_kdf", "evp_kdf_test"); -diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/recipes/30-test_evp.t ---- openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf 2019-05-29 16:55:38.236960543 +0200 -+++ openssl-1.1.1c/test/recipes/30-test_evp.t 2019-05-29 16:57:46.348718012 +0200 +diff -up openssl-1.1.1d/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1d/test/recipes/30-test_evp.t +--- openssl-1.1.1d/test/recipes/30-test_evp.t.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/recipes/30-test_evp.t 2019-09-13 15:39:34.876725605 +0200 @@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/ setup("test_evp"); @@ -5233,11 +5212,10 @@ diff -up openssl-1.1.1c/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1c/test/r "evpcase.txt", "evpccmcavs.txt" ); plan tests => scalar(@files); - -diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto.num ---- openssl-1.1.1b/util/libcrypto.num.evp-kdf 2019-02-28 13:05:05.636521752 +0100 -+++ openssl-1.1.1b/util/libcrypto.num 2019-02-28 13:05:05.660521308 +0100 -@@ -4614,3 +4614,11 @@ FIPS_drbg_get_strength +diff -up openssl-1.1.1d/util/libcrypto.num.evp-kdf openssl-1.1.1d/util/libcrypto.num +--- openssl-1.1.1d/util/libcrypto.num.evp-kdf 2019-09-13 15:39:20.248983182 +0200 ++++ openssl-1.1.1d/util/libcrypto.num 2019-09-13 15:39:34.881725517 +0200 +@@ -4617,3 +4617,11 @@ FIPS_drbg_get_strength FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: @@ -5249,9 +5227,9 @@ diff -up openssl-1.1.1b/util/libcrypto.num.evp-kdf openssl-1.1.1b/util/libcrypto +EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: +EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: +EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: -diff -up openssl-1.1.1b/util/private.num.evp-kdf openssl-1.1.1b/util/private.num ---- openssl-1.1.1b/util/private.num.evp-kdf 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/util/private.num 2019-02-28 13:05:05.660521308 +0100 +diff -up openssl-1.1.1d/util/private.num.evp-kdf openssl-1.1.1d/util/private.num +--- openssl-1.1.1d/util/private.num.evp-kdf 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/util/private.num 2019-09-13 15:39:34.883725481 +0200 @@ -21,6 +21,7 @@ CRYPTO_EX_dup CRYPTO_EX_free datatype CRYPTO_EX_new datatype diff --git a/openssl-1.1.1-fips-crng-test.patch b/openssl-1.1.1-fips-crng-test.patch index 91841f1..9be5c30 100644 --- a/openssl-1.1.1-fips-crng-test.patch +++ b/openssl-1.1.1-fips-crng-test.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test openssl-1.1.1b/crypto/include/internal/rand_int.h ---- openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test 2019-05-07 08:56:33.242179136 +0200 -+++ openssl-1.1.1b/crypto/include/internal/rand_int.h 2019-05-07 09:54:14.920204875 +0200 -@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN +diff -up openssl-1.1.1d/crypto/include/internal/rand_int.h.crng-test openssl-1.1.1d/crypto/include/internal/rand_int.h +--- openssl-1.1.1d/crypto/include/internal/rand_int.h.crng-test 2019-09-13 16:03:54.572238927 +0200 ++++ openssl-1.1.1d/crypto/include/internal/rand_int.h 2019-09-13 16:03:54.966232056 +0200 +@@ -48,6 +48,14 @@ size_t rand_drbg_get_additional_data(RAN void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out); @@ -16,18 +16,18 @@ diff -up openssl-1.1.1b/crypto/include/internal/rand_int.h.crng-test openssl-1.1 /* * RAND_POOL functions */ -diff -up openssl-1.1.1b/crypto/rand/build.info.crng-test openssl-1.1.1b/crypto/rand/build.info ---- openssl-1.1.1b/crypto/rand/build.info.crng-test 2019-05-07 09:54:14.921204857 +0200 -+++ openssl-1.1.1b/crypto/rand/build.info 2019-05-07 09:55:22.730014705 +0200 +diff -up openssl-1.1.1d/crypto/rand/build.info.crng-test openssl-1.1.1d/crypto/rand/build.info +--- openssl-1.1.1d/crypto/rand/build.info.crng-test 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rand/build.info 2019-09-13 16:03:54.968232021 +0200 @@ -1,4 +1,4 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - randfile.c rand_lib.c rand_err.c rand_egd.c \ + randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c -diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/rand/drbg_lib.c ---- openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rand/drbg_lib.c 2019-05-07 10:04:51.753157224 +0200 +diff -up openssl-1.1.1d/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1d/crypto/rand/drbg_lib.c +--- openssl-1.1.1d/crypto/rand/drbg_lib.c.crng-test 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rand/drbg_lib.c 2019-09-13 16:03:54.969232004 +0200 @@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg; @@ -51,9 +51,9 @@ diff -up openssl-1.1.1b/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1b/crypto/r #ifndef RAND_DRBG_GET_RANDOM_NONCE drbg->get_nonce = rand_drbg_get_nonce; drbg->cleanup_nonce = rand_drbg_cleanup_nonce; -diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/crypto/rand/rand_crng_test.c ---- openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test 2019-05-07 09:54:14.925204787 +0200 -+++ openssl-1.1.1b/crypto/rand/rand_crng_test.c 2019-05-07 09:54:14.932204664 +0200 +diff -up openssl-1.1.1d/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1d/crypto/rand/rand_crng_test.c +--- openssl-1.1.1d/crypto/rand/rand_crng_test.c.crng-test 2019-09-13 16:03:54.969232004 +0200 ++++ openssl-1.1.1d/crypto/rand/rand_crng_test.c 2019-09-13 16:15:20.834271063 +0200 @@ -0,0 +1,118 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. @@ -110,7 +110,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr +{ + unsigned char buf[CRNGT_BUFSIZ]; + -+ if ((crngt_pool = rand_pool_new(0, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL) ++ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL) + return 0; + if (crngt_get_entropy(buf, crngt_prev, NULL)) { + OPENSSL_cleanse(buf, sizeof(buf)); @@ -147,7 +147,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr + if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init)) + return 0; + -+ if ((pool = rand_pool_new(entropy, min_len, max_len)) == NULL) ++ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL) + return 0; + + while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) { @@ -173,9 +173,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1b/cr +{ + OPENSSL_secure_clear_free(out, outlen); +} -diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/rand/rand_lcl.h ---- openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test 2019-05-07 08:56:33.330177674 +0200 -+++ openssl-1.1.1b/crypto/rand/rand_lcl.h 2019-05-07 09:54:14.933204647 +0200 +diff -up openssl-1.1.1d/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1d/crypto/rand/rand_lcl.h +--- openssl-1.1.1d/crypto/rand/rand_lcl.h.crng-test 2019-09-13 16:03:54.653237514 +0200 ++++ openssl-1.1.1d/crypto/rand/rand_lcl.h 2019-09-13 16:03:54.969232004 +0200 @@ -33,7 +33,15 @@ # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ @@ -193,17 +193,16 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r /* * Maximum input size for the DRBG (entropy, nonce, personalization string) -@@ -44,7 +52,8 @@ +@@ -44,6 +52,8 @@ */ # define DRBG_MAX_LENGTH INT32_MAX -- +/* The default nonce */ +# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" /* * Maximum allocation size for RANDOM_POOL buffers -@@ -290,4 +299,22 @@ int rand_drbg_enable_locking(RAND_DRBG * +@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG * /* initializes the AES-CTR DRBG implementation */ int drbg_ctr_init(RAND_DRBG *drbg); @@ -226,10 +225,10 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lcl.h.crng-test openssl-1.1.1b/crypto/r +int rand_crngt_single_init(void); + #endif -diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c ---- openssl-1.1.1b/test/drbgtest.c.crng-test 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/drbgtest.c 2019-05-07 10:06:24.706551561 +0200 -@@ -143,6 +143,31 @@ static size_t kat_nonce(RAND_DRBG *drbg, +diff -up openssl-1.1.1d/test/drbgtest.c.crng-test openssl-1.1.1d/test/drbgtest.c +--- openssl-1.1.1d/test/drbgtest.c.crng-test 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/drbgtest.c 2019-09-13 16:03:54.969232004 +0200 +@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg, return t->noncelen; } @@ -261,7 +260,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c static int uninstantiate(RAND_DRBG *drbg) { int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg); -@@ -168,7 +193,8 @@ static int single_kat(DRBG_SELFTEST_DATA +@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL))) return 0; if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, @@ -271,7 +270,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c failures++; goto err; } -@@ -286,7 +312,8 @@ static int error_check(DRBG_SELFTEST_DAT +@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT unsigned int reseed_counter_tmp; int ret = 0; @@ -281,7 +280,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c goto err; /* -@@ -699,6 +726,10 @@ static int test_rand_drbg_reseed(void) +@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void) || !TEST_ptr_eq(private->parent, master)) return 0; @@ -292,7 +291,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c /* uninstantiate the three global DRBGs */ RAND_DRBG_uninstantiate(private); RAND_DRBG_uninstantiate(public); -@@ -919,7 +950,8 @@ static int test_rand_seed(void) +@@ -964,7 +995,8 @@ static int test_rand_seed(void) size_t rand_buflen; size_t required_seed_buflen = 0; @@ -302,7 +301,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c return 0; #ifdef OPENSSL_RAND_SEED_NONE -@@ -968,6 +1000,95 @@ static int test_rand_add(void) +@@ -1013,6 +1045,95 @@ static int test_rand_add(void) return 1; } @@ -398,7 +397,7 @@ diff -up openssl-1.1.1b/test/drbgtest.c.crng-test openssl-1.1.1b/test/drbgtest.c int setup_tests(void) { app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); -@@ -980,5 +1101,6 @@ int setup_tests(void) +@@ -1025,5 +1146,6 @@ int setup_tests(void) #if defined(OPENSSL_THREADS) ADD_TEST(test_multi_thread); #endif diff --git a/openssl-1.1.1-fips-post-rand.patch b/openssl-1.1.1-fips-post-rand.patch index fc60e33..02d7df3 100644 --- a/openssl-1.1.1-fips-post-rand.patch +++ b/openssl-1.1.1-fips-post-rand.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/fips/fips.c ---- openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand 2019-05-29 15:53:56.328216002 +0200 -+++ openssl-1.1.1c/crypto/fips/fips.c 2019-05-29 15:53:56.359215457 +0200 +diff -up openssl-1.1.1d/crypto/fips/fips.c.fips-post-rand openssl-1.1.1d/crypto/fips/fips.c +--- openssl-1.1.1d/crypto/fips/fips.c.fips-post-rand 2019-09-13 16:15:52.656716089 +0200 ++++ openssl-1.1.1d/crypto/fips/fips.c 2019-09-13 16:44:33.217852364 +0200 @@ -68,6 +68,7 @@ # include @@ -46,14 +46,14 @@ diff -up openssl-1.1.1c/crypto/fips/fips.c.fips-post-rand openssl-1.1.1c/crypto/ + fips_set_mode(onoff); + /* force RNG reseed with entropy from getrandom() on next call */ -+ rand_fork(); ++ rand_force_reseed(); + ret = 1; goto end; } -diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1c/crypto/include/internal/fips_int.h ---- openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand 2019-05-29 15:53:56.337215844 +0200 -+++ openssl-1.1.1c/crypto/include/internal/fips_int.h 2019-05-29 15:53:56.359215457 +0200 +diff -up openssl-1.1.1d/crypto/include/internal/fips_int.h.fips-post-rand openssl-1.1.1d/crypto/include/internal/fips_int.h +--- openssl-1.1.1d/crypto/include/internal/fips_int.h.fips-post-rand 2019-09-13 16:15:52.666715914 +0200 ++++ openssl-1.1.1d/crypto/include/internal/fips_int.h 2019-09-13 16:15:52.690715496 +0200 @@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void); int FIPS_selftest_drbg(void); int FIPS_selftest_cmac(void); @@ -63,24 +63,58 @@ diff -up openssl-1.1.1c/crypto/include/internal/fips_int.h.fips-post-rand openss int fips_pkey_signature_test(EVP_PKEY *pkey, const unsigned char *tbs, int tbslen, const unsigned char *kat, -diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/crypto/rand/rand_unix.c ---- openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/crypto/rand/rand_unix.c 2019-05-29 16:54:16.471391802 +0200 -@@ -16,10 +16,12 @@ - #include +diff -up openssl-1.1.1d/crypto/include/internal/rand_int.h.fips-post-rand openssl-1.1.1d/crypto/include/internal/rand_int.h +--- openssl-1.1.1d/crypto/include/internal/rand_int.h.fips-post-rand 2019-09-13 16:15:52.307722175 +0200 ++++ openssl-1.1.1d/crypto/include/internal/rand_int.h 2019-09-13 16:41:47.133736023 +0200 +@@ -24,6 +24,7 @@ + typedef struct rand_pool_st RAND_POOL; + + void rand_cleanup_int(void); ++void rand_force_reseed(void); + void rand_drbg_cleanup_int(void); + void drbg_delete_thread_state(void); + +diff -up openssl-1.1.1d/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1d/crypto/rand/drbg_lib.c +--- openssl-1.1.1d/crypto/rand/drbg_lib.c.fips-post-rand 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rand/drbg_lib.c 2019-09-13 16:44:04.808345620 +0200 +@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg + return min_entropy > min_entropylen ? min_entropy : min_entropylen; + } + ++void rand_force_reseed(void) ++{ ++ RAND_DRBG *drbg; ++ ++ drbg = RAND_DRBG_get0_master(); ++ drbg->fork_id = 0; ++ ++ drbg = RAND_DRBG_get0_private(); ++ drbg->fork_id = 0; ++ ++ drbg = RAND_DRBG_get0_public(); ++ drbg->fork_id = 0; ++} ++ + /* Implements the default OpenSSL RAND_add() method */ + static int drbg_add(const void *buf, int num, double randomness) + { +diff -up openssl-1.1.1d/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1d/crypto/rand/rand_unix.c +--- openssl-1.1.1d/crypto/rand/rand_unix.c.fips-post-rand 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rand/rand_unix.c 2019-09-13 16:15:52.690715496 +0200 +@@ -17,10 +17,12 @@ + #include #include "rand_lcl.h" #include "internal/rand_int.h" +#include "internal/fips_int.h" #include #include "internal/dso.h" - #if defined(__linux) --# include -+# include + #ifdef __linux + # include +# include - #endif - #if defined(__FreeBSD__) - # include -@@ -279,7 +281,7 @@ static ssize_t sysctl_random(char *buf, + # ifdef DEVRANDOM_WAIT + # include + # include +@@ -295,7 +297,7 @@ static ssize_t sysctl_random(char *buf, * syscall_random(): Try to get random data using a system call * returns the number of bytes returned in buf, or < 0 on error. */ @@ -89,7 +123,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr { /* * Note: 'buflen' equals the size of the buffer which is used by the -@@ -301,6 +303,7 @@ static ssize_t syscall_random(void *buf, +@@ -317,6 +319,7 @@ static ssize_t syscall_random(void *buf, * - Linux since 3.17 with glibc 2.25 * - FreeBSD since 12.0 (1200061) */ @@ -97,7 +131,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) extern int getentropy(void *buffer, size_t length) __attribute__((weak)); -@@ -322,10 +325,10 @@ static ssize_t syscall_random(void *buf, +@@ -338,10 +341,10 @@ static ssize_t syscall_random(void *buf, if (p_getentropy.p != NULL) return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; # endif @@ -111,19 +145,17 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) return sysctl_random(buf, buflen); # else -@@ -475,8 +478,10 @@ size_t rand_pool_acquire_entropy(RAND_PO - size_t bytes_needed; - size_t entropy_available = 0; - unsigned char *buffer; -- +@@ -576,6 +579,9 @@ size_t rand_pool_acquire_entropy(RAND_PO + size_t entropy_available; + # if defined(OPENSSL_RAND_SEED_GETRANDOM) + int in_post; + + for (in_post = fips_in_post(); in_post >= 0; --in_post) { { - ssize_t bytes; - /* Maximum allowed number of consecutive unsuccessful attempts */ -@@ -485,7 +490,7 @@ size_t rand_pool_acquire_entropy(RAND_PO + size_t bytes_needed; + unsigned char *buffer; +@@ -586,7 +592,7 @@ size_t rand_pool_acquire_entropy(RAND_PO bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); @@ -132,7 +164,7 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr if (bytes > 0) { rand_pool_add_end(pool, bytes, 8 * bytes); bytes_needed -= bytes; -@@ -540,8 +545,10 @@ size_t rand_pool_acquire_entropy(RAND_PO +@@ -621,8 +627,10 @@ size_t rand_pool_acquire_entropy(RAND_PO int attempts = 3; const int fd = get_random_device(i); @@ -144,8 +176,8 @@ diff -up openssl-1.1.1c/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1c/cr while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); -@@ -601,7 +608,9 @@ size_t rand_pool_acquire_entropy(RAND_PO - } +@@ -685,7 +693,9 @@ size_t rand_pool_acquire_entropy(RAND_PO + return entropy_available; } # endif - diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 3ff5aa4..9ccdcbf 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -1,6 +1,6 @@ -diff -up openssl-1.1.1b/apps/pkcs12.c.fips openssl-1.1.1b/apps/pkcs12.c ---- openssl-1.1.1b/apps/pkcs12.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/apps/pkcs12.c 2019-05-24 12:08:40.524523735 +0200 +diff -up openssl-1.1.1d/apps/pkcs12.c.fips openssl-1.1.1d/apps/pkcs12.c +--- openssl-1.1.1d/apps/pkcs12.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/apps/pkcs12.c 2019-09-13 15:13:11.022525640 +0200 @@ -126,7 +126,7 @@ int pkcs12_main(int argc, char **argv) int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; @@ -10,10 +10,10 @@ diff -up openssl-1.1.1b/apps/pkcs12.c.fips openssl-1.1.1b/apps/pkcs12.c # else int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; # endif -diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c ---- openssl-1.1.1b/apps/speed.c.fips 2019-05-07 11:52:35.887597899 +0200 -+++ openssl-1.1.1b/apps/speed.c 2019-05-07 16:51:36.946350159 +0200 -@@ -1592,7 +1592,8 @@ int speed_main(int argc, char **argv) +diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c +--- openssl-1.1.1d/apps/speed.c.fips 2019-09-13 15:13:11.008525884 +0200 ++++ openssl-1.1.1d/apps/speed.c 2019-09-13 15:13:11.022525640 +0200 +@@ -1595,7 +1595,8 @@ int speed_main(int argc, char **argv) continue; if (strcmp(*argv, "rsa") == 0) { for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++) @@ -23,7 +23,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c continue; } if (found(*argv, rsa_choices, &i)) { -@@ -1602,7 +1603,9 @@ int speed_main(int argc, char **argv) +@@ -1605,7 +1606,9 @@ int speed_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_DSA if (strcmp(*argv, "dsa") == 0) { @@ -34,7 +34,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c dsa_doit[R_DSA_2048] = 1; continue; } -@@ -1633,19 +1636,21 @@ int speed_main(int argc, char **argv) +@@ -1636,19 +1639,21 @@ int speed_main(int argc, char **argv) } if (strcmp(*argv, "ecdh") == 0) { for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) @@ -60,7 +60,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c eddsa_doit[i] = 2; continue; } -@@ -1734,23 +1739,30 @@ int speed_main(int argc, char **argv) +@@ -1737,23 +1742,30 @@ int speed_main(int argc, char **argv) /* No parameters; turn on everything. */ if ((argc == 0) && !doit[D_EVP]) { for (i = 0; i < ALGOR_NUM; i++) @@ -96,7 +96,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c #endif } for (i = 0; i < ALGOR_NUM; i++) -@@ -1798,30 +1810,46 @@ int speed_main(int argc, char **argv) +@@ -1801,30 +1813,46 @@ int speed_main(int argc, char **argv) AES_set_encrypt_key(key24, 192, &aes_ks2); AES_set_encrypt_key(key32, 256, &aes_ks3); #ifndef OPENSSL_NO_CAMELLIA @@ -153,7 +153,7 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c #endif #ifndef SIGALRM # ifndef OPENSSL_NO_DES -@@ -2118,6 +2146,7 @@ int speed_main(int argc, char **argv) +@@ -2122,6 +2150,7 @@ int speed_main(int argc, char **argv) for (i = 0; i < loopargs_len; i++) { loopargs[i].hctx = HMAC_CTX_new(); @@ -161,10 +161,10 @@ diff -up openssl-1.1.1b/apps/speed.c.fips openssl-1.1.1b/apps/speed.c if (loopargs[i].hctx == NULL) { BIO_printf(bio_err, "HMAC malloc failure, exiting..."); exit(1); -diff -up openssl-1.1.1b/Configure.fips openssl-1.1.1b/Configure ---- openssl-1.1.1b/Configure.fips 2019-02-28 11:30:06.775746246 +0100 -+++ openssl-1.1.1b/Configure 2019-02-28 11:30:06.779746172 +0100 -@@ -313,7 +313,7 @@ $config{sdirs} = [ +diff -up openssl-1.1.1d/Configure.fips openssl-1.1.1d/Configure +--- openssl-1.1.1d/Configure.fips 2019-09-13 15:13:11.017525727 +0200 ++++ openssl-1.1.1d/Configure 2019-09-13 15:13:11.023525622 +0200 +@@ -307,7 +307,7 @@ $config{sdirs} = [ "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine", @@ -173,9 +173,9 @@ diff -up openssl-1.1.1b/Configure.fips openssl-1.1.1b/Configure "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" ]; -diff -up openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1b/crypto/cmac/cm_pmeth.c ---- openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/cmac/cm_pmeth.c 2019-05-06 14:55:32.866749109 +0200 +diff -up openssl-1.1.1d/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1d/crypto/cmac/cm_pmeth.c +--- openssl-1.1.1d/crypto/cmac/cm_pmeth.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/cmac/cm_pmeth.c 2019-09-13 15:13:11.023525622 +0200 @@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD cmac_pkey_meth = { @@ -185,9 +185,9 @@ diff -up openssl-1.1.1b/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1b/crypto/cmac/c pkey_cmac_init, pkey_cmac_copy, pkey_cmac_cleanup, -diff -up openssl-1.1.1b/crypto/dh/dh_err.c.fips openssl-1.1.1b/crypto/dh/dh_err.c ---- openssl-1.1.1b/crypto/dh/dh_err.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dh/dh_err.c 2019-02-28 11:30:06.779746172 +0100 +diff -up openssl-1.1.1d/crypto/dh/dh_err.c.fips openssl-1.1.1d/crypto/dh/dh_err.c +--- openssl-1.1.1d/crypto/dh/dh_err.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/dh/dh_err.c 2019-09-13 15:13:11.023525622 +0200 @@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), @@ -213,9 +213,9 @@ diff -up openssl-1.1.1b/crypto/dh/dh_err.c.fips openssl-1.1.1b/crypto/dh/dh_err. {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.fips openssl-1.1.1b/crypto/dh/dh_gen.c ---- openssl-1.1.1b/crypto/dh/dh_gen.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dh/dh_gen.c 2019-02-28 11:30:06.780746153 +0100 +diff -up openssl-1.1.1d/crypto/dh/dh_gen.c.fips openssl-1.1.1d/crypto/dh/dh_gen.c +--- openssl-1.1.1d/crypto/dh/dh_gen.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/dh/dh_gen.c 2019-09-13 15:13:11.023525622 +0200 @@ -16,6 +16,9 @@ #include "internal/cryptlib.h" #include @@ -240,7 +240,7 @@ diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.fips openssl-1.1.1b/crypto/dh/dh_gen. if (ret->meth->generate_params) return ret->meth->generate_params(ret, prime_len, generator, cb); return dh_builtin_genparams(ret, prime_len, generator, cb); -@@ -62,6 +72,18 @@ static int dh_builtin_genparams(DH *ret, +@@ -65,6 +75,18 @@ static int dh_builtin_genparams(DH *ret, int g, ok = -1; BN_CTX *ctx = NULL; @@ -259,9 +259,9 @@ diff -up openssl-1.1.1b/crypto/dh/dh_gen.c.fips openssl-1.1.1b/crypto/dh/dh_gen. ctx = BN_CTX_new(); if (ctx == NULL) goto err; -diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key.c ---- openssl-1.1.1b/crypto/dh/dh_key.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dh/dh_key.c 2019-02-28 11:30:06.780746153 +0100 +diff -up openssl-1.1.1d/crypto/dh/dh_key.c.fips openssl-1.1.1d/crypto/dh/dh_key.c +--- openssl-1.1.1d/crypto/dh/dh_key.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/dh/dh_key.c 2019-09-13 15:13:11.024525605 +0200 @@ -11,6 +11,9 @@ #include "internal/cryptlib.h" #include "dh_locl.h" @@ -321,7 +321,7 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key. if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); return 0; -@@ -170,6 +195,13 @@ static int compute_key(unsigned char *ke +@@ -179,6 +204,13 @@ static int compute_key(unsigned char *ke DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); goto err; } @@ -335,7 +335,7 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key. ctx = BN_CTX_new(); if (ctx == NULL) -@@ -221,6 +253,9 @@ static int dh_bn_mod_exp(const DH *dh, B +@@ -228,6 +260,9 @@ static int dh_bn_mod_exp(const DH *dh, B static int dh_init(DH *dh) { @@ -345,9 +345,9 @@ diff -up openssl-1.1.1b/crypto/dh/dh_key.c.fips openssl-1.1.1b/crypto/dh/dh_key. dh->flags |= DH_FLAG_CACHE_MONT_P; return 1; } -diff -up openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips openssl-1.1.1b/crypto/dh/dh_pmeth.c ---- openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dh/dh_pmeth.c 2019-05-06 14:57:29.184723430 +0200 +diff -up openssl-1.1.1d/crypto/dh/dh_pmeth.c.fips openssl-1.1.1d/crypto/dh/dh_pmeth.c +--- openssl-1.1.1d/crypto/dh/dh_pmeth.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/dh/dh_pmeth.c 2019-09-13 15:13:11.024525605 +0200 @@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * const EVP_PKEY_METHOD dh_pkey_meth = { @@ -366,9 +366,9 @@ diff -up openssl-1.1.1b/crypto/dh/dh_pmeth.c.fips openssl-1.1.1b/crypto/dh/dh_pm pkey_dh_init, pkey_dh_copy, pkey_dh_cleanup, -diff -up openssl-1.1.1b/crypto/dsa/dsa_err.c.fips openssl-1.1.1b/crypto/dsa/dsa_err.c ---- openssl-1.1.1b/crypto/dsa/dsa_err.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dsa/dsa_err.c 2019-02-28 11:30:06.798745819 +0100 +diff -up openssl-1.1.1d/crypto/dsa/dsa_err.c.fips openssl-1.1.1d/crypto/dsa/dsa_err.c +--- openssl-1.1.1d/crypto/dsa/dsa_err.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/dsa/dsa_err.c 2019-09-13 15:14:33.737079876 +0200 @@ -16,12 +16,15 @@ static const ERR_STRING_DATA DSA_str_functs[] = { {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"}, @@ -385,22 +385,24 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_err.c.fips openssl-1.1.1b/crypto/dsa/dsa_ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"}, {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"}, -@@ -51,9 +54,12 @@ static const ERR_STRING_DATA DSA_str_rea +@@ -51,11 +54,14 @@ static const ERR_STRING_DATA DSA_str_rea {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE), "invalid digest type"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY), + "missing private key"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), "parameter encoding error"}, {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, -diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_gen.c ---- openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dsa/dsa_gen.c 2019-02-28 11:30:06.799745800 +0100 +diff -up openssl-1.1.1d/crypto/dsa/dsa_gen.c.fips openssl-1.1.1d/crypto/dsa/dsa_gen.c +--- openssl-1.1.1d/crypto/dsa/dsa_gen.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/dsa/dsa_gen.c 2019-09-13 15:13:11.046525220 +0200 @@ -22,12 +22,22 @@ #include #include @@ -440,7 +442,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ } } -@@ -310,7 +326,7 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -309,7 +325,7 @@ int dsa_builtin_paramgen2(DSA *ret, size int *counter_ret, unsigned long *h_ret, BN_GENCB *cb) { @@ -449,7 +451,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ unsigned char *seed = NULL, *seed_tmp = NULL; unsigned char md[EVP_MAX_MD_SIZE]; int mdsize; -@@ -333,6 +349,20 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -332,6 +348,20 @@ int dsa_builtin_paramgen2(DSA *ret, size goto err; } @@ -470,7 +472,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ if (evpmd == NULL) { if (N == 160) evpmd = EVP_sha1(); -@@ -433,9 +463,10 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -432,9 +462,10 @@ int dsa_builtin_paramgen2(DSA *ret, size goto err; /* Provided seed didn't produce a prime: error */ if (seed_in) { @@ -484,7 +486,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ } /* do a callback call */ -@@ -521,11 +552,14 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -520,11 +551,14 @@ int dsa_builtin_paramgen2(DSA *ret, size if (counter >= (int)(4 * L)) break; } @@ -499,7 +501,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ } end: if (!BN_GENCB_call(cb, 2, 1)) -@@ -596,7 +630,7 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -595,7 +629,7 @@ int dsa_builtin_paramgen2(DSA *ret, size BN_free(ret->g); ret->g = BN_dup(g); if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { @@ -508,7 +510,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ goto err; } if (counter_ret != NULL) -@@ -614,3 +648,53 @@ int dsa_builtin_paramgen2(DSA *ret, size +@@ -612,3 +646,53 @@ int dsa_builtin_paramgen2(DSA *ret, size EVP_MD_CTX_free(mctx); return ok; } @@ -562,9 +564,9 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_gen.c.fips openssl-1.1.1b/crypto/dsa/dsa_ +} + +#endif -diff -up openssl-1.1.1b/crypto/dsa/dsa_key.c.fips openssl-1.1.1b/crypto/dsa/dsa_key.c ---- openssl-1.1.1b/crypto/dsa/dsa_key.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dsa/dsa_key.c 2019-02-28 11:30:06.799745800 +0100 +diff -up openssl-1.1.1d/crypto/dsa/dsa_key.c.fips openssl-1.1.1d/crypto/dsa/dsa_key.c +--- openssl-1.1.1d/crypto/dsa/dsa_key.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/dsa/dsa_key.c 2019-09-13 15:13:11.046525220 +0200 @@ -13,10 +13,49 @@ #include #include "dsa_locl.h" @@ -644,9 +646,9 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_key.c.fips openssl-1.1.1b/crypto/dsa/dsa_ ok = 1; err: -diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa_ossl.c ---- openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dsa/dsa_ossl.c 2019-02-28 11:30:06.800745781 +0100 +diff -up openssl-1.1.1d/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1d/crypto/dsa/dsa_ossl.c +--- openssl-1.1.1d/crypto/dsa/dsa_ossl.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/dsa/dsa_ossl.c 2019-09-13 15:13:11.047525203 +0200 @@ -14,6 +14,9 @@ #include #include "dsa_locl.h" @@ -657,7 +659,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, -@@ -73,6 +76,19 @@ static DSA_SIG *dsa_do_sign(const unsign +@@ -77,6 +80,19 @@ static DSA_SIG *dsa_do_sign(const unsign goto err; } @@ -677,7 +679,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa ret = DSA_SIG_new(); if (ret == NULL) goto err; -@@ -301,6 +317,18 @@ static int dsa_do_verify(const unsigned +@@ -315,6 +331,18 @@ static int dsa_do_verify(const unsigned DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE); return -1; } @@ -696,7 +698,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE); -@@ -389,6 +417,9 @@ static int dsa_do_verify(const unsigned +@@ -403,6 +431,9 @@ static int dsa_do_verify(const unsigned static int dsa_init(DSA *dsa) { @@ -706,10 +708,10 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1b/crypto/dsa/dsa dsa->flags |= DSA_FLAG_CACHE_MONT_P; return 1; } -diff -up openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1b/crypto/dsa/dsa_pmeth.c ---- openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/dsa/dsa_pmeth.c 2019-02-28 11:30:06.800745781 +0100 -@@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT +diff -up openssl-1.1.1d/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1d/crypto/dsa/dsa_pmeth.c +--- openssl-1.1.1d/crypto/dsa/dsa_pmeth.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/dsa/dsa_pmeth.c 2019-09-13 15:13:11.047525203 +0200 +@@ -215,8 +215,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT BN_GENCB_free(pcb); return 0; } @@ -720,7 +722,7 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1b/crypto/dsa/ds BN_GENCB_free(pcb); if (ret) EVP_PKEY_assign_DSA(pkey, dsa); -@@ -241,7 +241,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX +@@ -245,7 +245,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX const EVP_PKEY_METHOD dsa_pkey_meth = { EVP_PKEY_DSA, @@ -729,9 +731,9 @@ diff -up openssl-1.1.1b/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1b/crypto/dsa/ds pkey_dsa_init, pkey_dsa_copy, pkey_dsa_cleanup, -diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdh_ossl.c ---- openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ecdh_ossl.c 2019-02-28 11:30:06.801745763 +0100 +diff -up openssl-1.1.1d/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1d/crypto/ec/ecdh_ossl.c +--- openssl-1.1.1d/crypto/ec/ecdh_ossl.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/ec/ecdh_ossl.c 2019-09-13 15:13:11.047525203 +0200 @@ -19,9 +19,20 @@ #include #include "ec_lcl.h" @@ -753,9 +755,9 @@ diff -up openssl-1.1.1b/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdh if (ecdh->group->meth->ecdh_compute_key == NULL) { ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); return 0; -diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecdsa_ossl.c ---- openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ecdsa_ossl.c 2019-02-28 11:30:06.801745763 +0100 +diff -up openssl-1.1.1d/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1d/crypto/ec/ecdsa_ossl.c +--- openssl-1.1.1d/crypto/ec/ecdsa_ossl.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/ec/ecdsa_ossl.c 2019-09-13 15:13:11.047525203 +0200 @@ -14,6 +14,10 @@ #include "internal/bn_int.h" #include "ec_lcl.h" @@ -767,7 +769,7 @@ diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecd int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) -@@ -159,6 +163,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns +@@ -163,6 +167,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns ECDSA_SIG *ret; const BIGNUM *priv_key; @@ -781,7 +783,7 @@ diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecd group = EC_KEY_get0_group(eckey); priv_key = EC_KEY_get0_private_key(eckey); -@@ -317,6 +328,13 @@ int ossl_ecdsa_verify_sig(const unsigned +@@ -325,6 +336,13 @@ int ossl_ecdsa_verify_sig(const unsigned const EC_GROUP *group; const EC_POINT *pub_key; @@ -795,9 +797,9 @@ diff -up openssl-1.1.1b/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1b/crypto/ec/ecd /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { -diff -up openssl-1.1.1b/crypto/ec/ec_key.c.fips openssl-1.1.1b/crypto/ec/ec_key.c ---- openssl-1.1.1b/crypto/ec/ec_key.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ec_key.c 2019-02-28 11:30:06.802745744 +0100 +diff -up openssl-1.1.1d/crypto/ec/ec_key.c.fips openssl-1.1.1d/crypto/ec/ec_key.c +--- openssl-1.1.1d/crypto/ec/ec_key.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/ec/ec_key.c 2019-09-13 15:13:11.048525186 +0200 @@ -178,14 +178,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY return eckey->engine; } @@ -863,10 +865,10 @@ diff -up openssl-1.1.1b/crypto/ec/ec_key.c.fips openssl-1.1.1b/crypto/ec/ec_key. ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); return 0; } -diff -up openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips openssl-1.1.1b/crypto/ec/ec_pmeth.c ---- openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/ec/ec_pmeth.c 2019-05-06 14:47:34.651077251 +0200 -@@ -434,7 +434,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * +diff -up openssl-1.1.1d/crypto/ec/ec_pmeth.c.fips openssl-1.1.1d/crypto/ec/ec_pmeth.c +--- openssl-1.1.1d/crypto/ec/ec_pmeth.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/ec/ec_pmeth.c 2019-09-13 15:13:11.048525186 +0200 +@@ -438,7 +438,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * const EVP_PKEY_METHOD ec_pkey_meth = { EVP_PKEY_EC, @@ -875,9 +877,9 @@ diff -up openssl-1.1.1b/crypto/ec/ec_pmeth.c.fips openssl-1.1.1b/crypto/ec/ec_pm pkey_ec_init, pkey_ec_copy, pkey_ec_cleanup, -diff -up openssl-1.1.1b/crypto/evp/c_allc.c.fips openssl-1.1.1b/crypto/evp/c_allc.c ---- openssl-1.1.1b/crypto/evp/c_allc.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/c_allc.c 2019-02-28 11:30:06.802745744 +0100 +diff -up openssl-1.1.1d/crypto/evp/c_allc.c.fips openssl-1.1.1d/crypto/evp/c_allc.c +--- openssl-1.1.1d/crypto/evp/c_allc.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/c_allc.c 2019-09-13 15:13:11.048525186 +0200 @@ -17,6 +17,9 @@ void openssl_add_all_ciphers_int(void) { @@ -959,9 +961,9 @@ diff -up openssl-1.1.1b/crypto/evp/c_allc.c.fips openssl-1.1.1b/crypto/evp/c_all + } +#endif } -diff -up openssl-1.1.1b/crypto/evp/c_alld.c.fips openssl-1.1.1b/crypto/evp/c_alld.c ---- openssl-1.1.1b/crypto/evp/c_alld.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/c_alld.c 2019-02-28 11:30:06.803745726 +0100 +diff -up openssl-1.1.1d/crypto/evp/c_alld.c.fips openssl-1.1.1d/crypto/evp/c_alld.c +--- openssl-1.1.1d/crypto/evp/c_alld.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/c_alld.c 2019-09-13 15:13:11.048525186 +0200 @@ -16,6 +16,9 @@ void openssl_add_all_digests_int(void) @@ -997,9 +999,9 @@ diff -up openssl-1.1.1b/crypto/evp/c_alld.c.fips openssl-1.1.1b/crypto/evp/c_all + } +#endif } -diff -up openssl-1.1.1c/crypto/evp/digest.c.fips openssl-1.1.1c/crypto/evp/digest.c ---- openssl-1.1.1c/crypto/evp/digest.c.fips 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/crypto/evp/digest.c 2019-05-29 15:47:59.220499971 +0200 +diff -up openssl-1.1.1d/crypto/evp/digest.c.fips openssl-1.1.1d/crypto/evp/digest.c +--- openssl-1.1.1d/crypto/evp/digest.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/digest.c 2019-09-13 15:13:11.049525168 +0200 @@ -14,6 +14,9 @@ #include #include "internal/evp_int.h" @@ -1060,95 +1062,28 @@ diff -up openssl-1.1.1c/crypto/evp/digest.c.fips openssl-1.1.1c/crypto/evp/diges OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret = ctx->digest->final(ctx, md); if (size != NULL) -diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes.c ---- openssl-1.1.1b/crypto/evp/e_aes.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/e_aes.c 2019-05-06 16:32:41.631668333 +0200 -@@ -387,22 +387,33 @@ static int aesni_xts_init_key(EVP_CIPHER - return 1; - - if (key) { -+ /* The key is two half length keys in reality */ -+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; -+ const int bits = bytes * 8; -+ -+ /* -+ * Verify that the two keys are different. -+ * -+ * This addresses Rogaway's vulnerability. -+ * See comment in aes_xts_init_key() below. -+ */ -+ if (memcmp(key, key + bytes, bytes) == 0) { -+ EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); -+ return 0; -+ } -+ - /* key_len is two AES keys */ - if (enc) { -- aesni_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ aesni_set_encrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) aesni_encrypt; - xctx->stream = aesni_xts_encrypt; - } else { -- aesni_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ aesni_set_decrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) aesni_decrypt; - xctx->stream = aesni_xts_decrypt; +diff -up openssl-1.1.1d/crypto/evp/e_aes.c.fips openssl-1.1.1d/crypto/evp/e_aes.c +--- openssl-1.1.1d/crypto/evp/e_aes.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/e_aes.c 2019-09-13 17:19:00.558994569 +0200 +@@ -397,7 +397,7 @@ static int aesni_xts_init_key(EVP_CIPHER + * This addresses Rogaway's vulnerability. + * See comment in aes_xts_init_key() below. + */ +- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { ++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; } - -- aesni_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks2.ks); -+ aesni_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f) aesni_encrypt; - - xctx->xts.key1 = &xctx->ks1; -@@ -791,7 +802,21 @@ static int aes_t4_xts_init_key(EVP_CIPHE - return 1; - - if (key) { -- int bits = EVP_CIPHER_CTX_key_length(ctx) * 4; -+ /* The key is two half length keys in reality */ -+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; -+ const int bits = bytes * 8; -+ -+ /* -+ * Verify that the two keys are different. -+ * -+ * This addresses Rogaway's vulnerability. -+ * See comment in aes_xts_init_key() below. -+ */ -+ if (memcmp(key, key + bytes, bytes) == 0) { -+ EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); -+ return 0; -+ } -+ - xctx->stream = NULL; - /* key_len is two AES keys */ - if (enc) { -@@ -808,8 +833,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE - return 0; - } - } else { -- aes_t4_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ aes_t4_set_decrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) aes_t4_decrypt; - switch (bits) { - case 128: -@@ -823,9 +847,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE - } +@@ -817,7 +817,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE + * This addresses Rogaway's vulnerability. + * See comment in aes_xts_init_key() below. + */ +- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { ++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; } - -- aes_t4_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks2.ks); -+ aes_t4_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f) aes_t4_encrypt; - - xctx->xts.key1 = &xctx->ks1; -@@ -2794,9 +2816,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX +@@ -2833,9 +2833,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX return 1; } @@ -1161,7 +1096,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) { -@@ -2826,6 +2848,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * +@@ -2869,6 +2869,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * case EVP_CTRL_AEAD_SET_IVLEN: if (arg <= 0) return 0; @@ -1173,141 +1108,16 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. /* Allocate memory for IV if needed */ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { if (gctx->iv != c->iv) -@@ -3275,11 +3302,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX - | EVP_CIPH_CUSTOM_COPY) - - BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | -+ CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | -+ CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | -+ CUSTOM_FLAGS) - - static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) - { -@@ -3313,8 +3343,33 @@ static int aes_xts_init_key(EVP_CIPHER_C - if (!iv && !key) - return 1; - -- if (key) -+ if (key) { - do { -+ /* The key is two half length keys in reality */ -+ const int bytes = EVP_CIPHER_CTX_key_length(ctx) / 2; -+ const int bits = bytes * 8; -+ -+ /* -+ * Verify that the two keys are different. -+ * -+ * This addresses the vulnerability described in Rogaway's -+ * September 2004 paper: -+ * -+ * "Efficient Instantiations of Tweakable Blockciphers and -+ * Refinements to Modes OCB and PMAC". -+ * (http://web.cs.ucdavis.edu/~rogaway/papers/offsets.pdf) -+ * -+ * FIPS 140-2 IG A.9 XTS-AES Key Generation Requirements states -+ * that: -+ * "The check for Key_1 != Key_2 shall be done at any place -+ * BEFORE using the keys in the XTS-AES algorithm to process -+ * data with them." -+ */ -+ if (memcmp(key, key + bytes, bytes) == 0) { -+ EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); -+ return 0; -+ } -+ - #ifdef AES_XTS_ASM - xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt; - #else -@@ -3324,26 +3379,20 @@ static int aes_xts_init_key(EVP_CIPHER_C - #ifdef HWAES_CAPABLE - if (HWAES_CAPABLE) { - if (enc) { -- HWAES_set_encrypt_key(key, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ HWAES_set_encrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) HWAES_encrypt; - # ifdef HWAES_xts_encrypt - xctx->stream = HWAES_xts_encrypt; - # endif - } else { -- HWAES_set_decrypt_key(key, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ HWAES_set_decrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) HWAES_decrypt; - # ifdef HWAES_xts_decrypt - xctx->stream = HWAES_xts_decrypt; - #endif - } - -- HWAES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks2.ks); -+ HWAES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f) HWAES_encrypt; - - xctx->xts.key1 = &xctx->ks1; -@@ -3358,20 +3407,14 @@ static int aes_xts_init_key(EVP_CIPHER_C - #ifdef VPAES_CAPABLE - if (VPAES_CAPABLE) { - if (enc) { -- vpaes_set_encrypt_key(key, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ vpaes_set_encrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) vpaes_encrypt; - } else { -- vpaes_set_decrypt_key(key, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ vpaes_set_decrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) vpaes_decrypt; - } - -- vpaes_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks2.ks); -+ vpaes_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f) vpaes_encrypt; - - xctx->xts.key1 = &xctx->ks1; -@@ -3381,22 +3424,19 @@ static int aes_xts_init_key(EVP_CIPHER_C - (void)0; /* terminate potentially open 'else' */ - - if (enc) { -- AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ AES_set_encrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) AES_encrypt; - } else { -- AES_set_decrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks1.ks); -+ AES_set_decrypt_key(key, bits, &xctx->ks1.ks); - xctx->xts.block1 = (block128_f) AES_decrypt; +@@ -3380,7 +3385,7 @@ static int aes_xts_init_key(EVP_CIPHER_C + * BEFORE using the keys in the XTS-AES algorithm to process + * data with them." + */ +- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { ++ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { + EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); + return 0; } - -- AES_set_encrypt_key(key + EVP_CIPHER_CTX_key_length(ctx) / 2, -- EVP_CIPHER_CTX_key_length(ctx) * 4, -- &xctx->ks2.ks); -+ AES_set_encrypt_key(key + bytes, bits, &xctx->ks2.ks); - xctx->xts.block2 = (block128_f) AES_encrypt; - - xctx->xts.key1 = &xctx->ks1; - } while (0); -+ } - - if (iv) { - xctx->xts.key2 = &xctx->ks2; -@@ -3414,6 +3454,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -3484,6 +3489,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX return 0; if (!out || !in || len < AES_BLOCK_SIZE) return 0; @@ -1322,7 +1132,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, -@@ -3431,8 +3479,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -3501,8 +3514,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ | EVP_CIPH_CUSTOM_COPY) @@ -1335,7 +1145,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { -@@ -3697,11 +3747,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX +@@ -3772,11 +3787,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX #define aes_ccm_cleanup NULL BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, @@ -1350,7 +1160,7 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. typedef struct { union { -@@ -3794,7 +3844,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT +@@ -3869,7 +3884,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT return rv ? (int)rv : -1; } @@ -1359,9 +1169,9 @@ diff -up openssl-1.1.1b/crypto/evp/e_aes.c.fips openssl-1.1.1b/crypto/evp/e_aes. | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) -diff -up openssl-1.1.1b/crypto/evp/e_des3.c.fips openssl-1.1.1b/crypto/evp/e_des3.c ---- openssl-1.1.1b/crypto/evp/e_des3.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/e_des3.c 2019-02-28 11:30:06.804745707 +0100 +diff -up openssl-1.1.1d/crypto/evp/e_des3.c.fips openssl-1.1.1d/crypto/evp/e_des3.c +--- openssl-1.1.1d/crypto/evp/e_des3.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/e_des3.c 2019-09-13 15:13:11.050525151 +0200 @@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, # define des_ede3_cbc_cipher des_ede_cbc_cipher # define des_ede3_ecb_cipher des_ede_ecb_cipher @@ -1388,9 +1198,9 @@ diff -up openssl-1.1.1b/crypto/evp/e_des3.c.fips openssl-1.1.1b/crypto/evp/e_des static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) -diff -up openssl-1.1.1b/crypto/evp/e_null.c.fips openssl-1.1.1b/crypto/evp/e_null.c ---- openssl-1.1.1b/crypto/evp/e_null.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/e_null.c 2019-02-28 11:30:06.805745688 +0100 +diff -up openssl-1.1.1d/crypto/evp/e_null.c.fips openssl-1.1.1d/crypto/evp/e_null.c +--- openssl-1.1.1d/crypto/evp/e_null.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/e_null.c 2019-09-13 15:13:11.051525133 +0200 @@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c const unsigned char *in, size_t inl); static const EVP_CIPHER n_cipher = { @@ -1401,9 +1211,9 @@ diff -up openssl-1.1.1b/crypto/evp/e_null.c.fips openssl-1.1.1b/crypto/evp/e_nul null_init_key, null_cipher, NULL, -diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_enc.c ---- openssl-1.1.1b/crypto/evp/evp_enc.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_enc.c 2019-02-28 11:30:06.805745688 +0100 +diff -up openssl-1.1.1d/crypto/evp/evp_enc.c.fips openssl-1.1.1d/crypto/evp/evp_enc.c +--- openssl-1.1.1d/crypto/evp/evp_enc.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/evp_enc.c 2019-09-13 15:13:11.051525133 +0200 @@ -17,10 +17,19 @@ #include #include "internal/evp_int.h" @@ -1479,27 +1289,18 @@ diff -up openssl-1.1.1b/crypto/evp/evp_enc.c.fips openssl-1.1.1b/crypto/evp/evp_ if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if (!ctx->cipher->init(ctx, key, iv, enc)) -diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_err.c ---- openssl-1.1.1b/crypto/evp/evp_err.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_err.c 2019-05-06 16:41:08.565739361 +0200 -@@ -15,11 +15,16 @@ - - static const ERR_STRING_DATA EVP_str_functs[] = { - {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_INIT_KEY, 0), "aesni_init_key"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AESNI_XTS_INIT_KEY, 0), "aesni_xts_init_key"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_GCM_CTRL, 0), "aes_gcm_ctrl"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_INIT_KEY, 0), "aes_init_key"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_OCB_CIPHER, 0), "aes_ocb_cipher"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_INIT_KEY, 0), "aes_t4_init_key"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), -+ "aes_t4_xts_init_key"}, +diff -up openssl-1.1.1d/crypto/evp/evp_err.c.fips openssl-1.1.1d/crypto/evp/evp_err.c +--- openssl-1.1.1d/crypto/evp/evp_err.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/evp_err.c 2019-09-13 15:25:47.290298192 +0200 +@@ -23,6 +23,7 @@ static const ERR_STRING_DATA EVP_str_fun + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), + "aes_t4_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"}, + {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"}, {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_GCM_CTRL, 0), "aria_gcm_ctrl"}, -@@ -179,6 +180,7 @@ static const ERR_STRING_DATA EVP_str_rea +@@ -186,6 +187,7 @@ static const ERR_STRING_DATA EVP_str_rea "different key types"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS), "different parameters"}, @@ -1507,7 +1308,7 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), "error loading section"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), -@@ -241,6 +243,7 @@ static const ERR_STRING_DATA EVP_str_rea +@@ -248,6 +250,7 @@ static const ERR_STRING_DATA EVP_str_rea {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR), "private key encode error"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"}, @@ -1515,20 +1316,18 @@ diff -up openssl-1.1.1b/crypto/evp/evp_err.c.fips openssl-1.1.1b/crypto/evp/evp_ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"}, -@@ -266,6 +269,10 @@ static const ERR_STRING_DATA EVP_str_rea +@@ -273,6 +276,8 @@ static const ERR_STRING_DATA EVP_str_rea "wrap mode not allowed"}, {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), "wrong final block length"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE), + "xts data unit is too large"}, -+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), -+ "xts duplicated keys"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), + "xts duplicated keys"}, {0, NULL} - }; - -diff -up openssl-1.1.1b/crypto/evp/evp_lib.c.fips openssl-1.1.1b/crypto/evp/evp_lib.c ---- openssl-1.1.1b/crypto/evp/evp_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/evp_lib.c 2019-02-28 11:30:06.806745670 +0100 +diff -up openssl-1.1.1d/crypto/evp/evp_lib.c.fips openssl-1.1.1d/crypto/evp/evp_lib.c +--- openssl-1.1.1d/crypto/evp/evp_lib.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/evp_lib.c 2019-09-13 15:13:11.051525133 +0200 @@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) @@ -1539,9 +1338,9 @@ diff -up openssl-1.1.1b/crypto/evp/evp_lib.c.fips openssl-1.1.1b/crypto/evp/evp_ return ctx->cipher->do_cipher(ctx, out, in, inl); } -diff -up openssl-1.1.1b/crypto/evp/m_sha1.c.fips openssl-1.1.1b/crypto/evp/m_sha1.c ---- openssl-1.1.1b/crypto/evp/m_sha1.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/m_sha1.c 2019-02-28 11:30:06.806745670 +0100 +diff -up openssl-1.1.1d/crypto/evp/m_sha1.c.fips openssl-1.1.1d/crypto/evp/m_sha1.c +--- openssl-1.1.1d/crypto/evp/m_sha1.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/m_sha1.c 2019-09-13 15:13:11.052525116 +0200 @@ -95,7 +95,7 @@ static const EVP_MD sha1_md = { NID_sha1, NID_sha1WithRSAEncryption, @@ -1605,10 +1404,10 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha1.c.fips openssl-1.1.1b/crypto/evp/m_sha init512, update512, final512, -diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha3.c ---- openssl-1.1.1b/crypto/evp/m_sha3.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/m_sha3.c 2019-05-06 16:12:23.012851747 +0200 -@@ -292,7 +292,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) +diff -up openssl-1.1.1d/crypto/evp/m_sha3.c.fips openssl-1.1.1d/crypto/evp/m_sha3.c +--- openssl-1.1.1d/crypto/evp/m_sha3.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/m_sha3.c 2019-09-13 15:13:11.052525116 +0200 +@@ -295,7 +295,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ bitlen / 8, \ @@ -1617,7 +1416,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha s390x_sha3_init, \ s390x_sha3_update, \ s390x_sha3_final, \ -@@ -305,7 +305,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) +@@ -308,7 +308,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ bitlen / 8, \ @@ -1626,7 +1425,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha sha3_init, \ sha3_update, \ sha3_final, \ -@@ -326,7 +326,7 @@ const EVP_MD *EVP_shake##bitlen(void) +@@ -329,7 +329,7 @@ const EVP_MD *EVP_shake##bitlen(void) NID_shake##bitlen, \ 0, \ bitlen / 8, \ @@ -1635,7 +1434,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha s390x_shake_init, \ s390x_sha3_update, \ s390x_shake_final, \ -@@ -340,7 +340,7 @@ const EVP_MD *EVP_shake##bitlen(void) +@@ -343,7 +343,7 @@ const EVP_MD *EVP_shake##bitlen(void) NID_shake##bitlen, \ 0, \ bitlen / 8, \ @@ -1644,7 +1443,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha shake_init, \ sha3_update, \ sha3_final, \ -@@ -364,7 +364,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) +@@ -367,7 +367,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) NID_sha3_##bitlen, \ NID_RSA_SHA3_##bitlen, \ bitlen / 8, \ @@ -1653,7 +1452,7 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha sha3_init, \ sha3_update, \ sha3_final, \ -@@ -383,7 +383,7 @@ const EVP_MD *EVP_shake##bitlen(void) +@@ -386,7 +386,7 @@ const EVP_MD *EVP_shake##bitlen(void) NID_shake##bitlen, \ 0, \ bitlen / 8, \ @@ -1662,9 +1461,9 @@ diff -up openssl-1.1.1b/crypto/evp/m_sha3.c.fips openssl-1.1.1b/crypto/evp/m_sha shake_init, \ sha3_update, \ sha3_final, \ -diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pmeth_lib.c ---- openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/evp/pmeth_lib.c 2019-05-06 15:11:33.207095983 +0200 +diff -up openssl-1.1.1d/crypto/evp/pmeth_lib.c.fips openssl-1.1.1d/crypto/evp/pmeth_lib.c +--- openssl-1.1.1d/crypto/evp/pmeth_lib.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/evp/pmeth_lib.c 2019-09-13 15:13:11.052525116 +0200 @@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE pmeth = ENGINE_get_pkey_meth(e, id); else @@ -1681,9 +1480,9 @@ diff -up openssl-1.1.1b/crypto/evp/pmeth_lib.c.fips openssl-1.1.1b/crypto/evp/pm if (pmeth == NULL) { #ifndef OPENSSL_NO_ENGINE -diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/build.info ---- openssl-1.1.1b/crypto/fips/build.info.fips 2019-02-28 11:30:06.806745670 +0100 -+++ openssl-1.1.1b/crypto/fips/build.info 2019-02-28 11:30:06.806745670 +0100 +diff -up openssl-1.1.1d/crypto/fips/build.info.fips openssl-1.1.1d/crypto/fips/build.info +--- openssl-1.1.1d/crypto/fips/build.info.fips 2019-09-13 15:13:11.052525116 +0200 ++++ openssl-1.1.1d/crypto/fips/build.info 2019-09-13 15:13:11.052525116 +0200 @@ -0,0 +1,15 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]=\ @@ -1700,9 +1499,9 @@ diff -up openssl-1.1.1b/crypto/fips/build.info.fips openssl-1.1.1b/crypto/fips/b +SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c +INCLUDE[fips_standalone_hmac]=../../include +DEPEND[fips_standalone_hmac]=../../libcrypto -diff -up openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_aes_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips 2019-02-28 11:30:06.807745651 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_aes_selftest.c 2019-02-28 11:30:06.807745651 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1d/crypto/fips/fips_aes_selftest.c +--- openssl-1.1.1d/crypto/fips/fips_aes_selftest.c.fips 2019-09-13 15:13:11.053525098 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_aes_selftest.c 2019-09-13 15:13:11.053525098 +0200 @@ -0,0 +1,372 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2076,9 +1875,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1b/cryp +} + +#endif -diff -up openssl-1.1.1b/crypto/fips/fips.c.fips openssl-1.1.1b/crypto/fips/fips.c ---- openssl-1.1.1b/crypto/fips/fips.c.fips 2019-02-28 11:30:06.807745651 +0100 -+++ openssl-1.1.1b/crypto/fips/fips.c 2019-02-28 11:30:06.807745651 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips.c.fips openssl-1.1.1d/crypto/fips/fips.c +--- openssl-1.1.1d/crypto/fips/fips.c.fips 2019-09-13 15:13:11.053525098 +0200 ++++ openssl-1.1.1d/crypto/fips/fips.c 2019-09-13 15:13:11.053525098 +0200 @@ -0,0 +1,526 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2606,9 +2405,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips.c.fips openssl-1.1.1b/crypto/fips/fips. +} + +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips 2019-02-28 11:30:06.808745633 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c 2019-02-28 11:30:06.808745633 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1d/crypto/fips/fips_cmac_selftest.c +--- openssl-1.1.1d/crypto/fips/fips_cmac_selftest.c.fips 2019-09-13 15:13:11.053525098 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_cmac_selftest.c 2019-09-13 15:13:11.053525098 +0200 @@ -0,0 +1,156 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -2766,9 +2565,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1b/cry + return rv; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_des_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips 2019-02-28 11:30:06.808745633 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_des_selftest.c 2019-02-28 11:30:06.808745633 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1d/crypto/fips/fips_des_selftest.c +--- openssl-1.1.1d/crypto/fips/fips_des_selftest.c.fips 2019-09-13 15:13:11.053525098 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_des_selftest.c 2019-09-13 15:13:11.053525098 +0200 @@ -0,0 +1,133 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -2903,9 +2702,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1b/cryp + return ret; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_dh_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_dh_selftest.c.fips 2019-02-28 11:30:06.810745596 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_dh_selftest.c 2019-02-28 11:30:06.810745596 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1d/crypto/fips/fips_dh_selftest.c +--- openssl-1.1.1d/crypto/fips/fips_dh_selftest.c.fips 2019-09-13 15:13:11.055525063 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_dh_selftest.c 2019-09-13 15:13:11.055525063 +0200 @@ -0,0 +1,180 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -3087,9 +2886,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1b/crypt + return ret; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c.fips 2019-02-28 11:30:06.811745577 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c 2019-02-28 11:30:06.811745577 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1d/crypto/fips/fips_drbg_ctr.c +--- openssl-1.1.1d/crypto/fips/fips_drbg_ctr.c.fips 2019-09-13 15:13:11.055525063 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_drbg_ctr.c 2019-09-13 15:13:11.055525063 +0200 @@ -0,0 +1,406 @@ +/* fips/rand/fips_drbg_ctr.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3497,9 +3296,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1b/crypto/f + + return 1; +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_hash.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips 2019-02-28 11:30:06.811745577 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_hash.c 2019-02-28 11:30:06.811745577 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1d/crypto/fips/fips_drbg_hash.c +--- openssl-1.1.1d/crypto/fips/fips_drbg_hash.c.fips 2019-09-13 15:13:11.056525046 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_drbg_hash.c 2019-09-13 15:13:11.056525046 +0200 @@ -0,0 +1,354 @@ +/* fips/rand/fips_drbg_hash.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -3855,9 +3654,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1b/crypto/ + + return 1; +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c.fips 2019-02-28 11:30:06.811745577 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c 2019-02-28 11:30:06.811745577 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1d/crypto/fips/fips_drbg_hmac.c +--- openssl-1.1.1d/crypto/fips/fips_drbg_hmac.c.fips 2019-09-13 15:13:11.056525046 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_drbg_hmac.c 2019-09-13 15:13:11.056525046 +0200 @@ -0,0 +1,262 @@ +/* fips/rand/fips_drbg_hmac.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4121,9 +3920,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1b/crypto/ + + return 1; +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_lib.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips 2019-02-28 11:30:06.812745558 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_lib.c 2019-02-28 11:30:06.812745558 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1d/crypto/fips/fips_drbg_lib.c +--- openssl-1.1.1d/crypto/fips/fips_drbg_lib.c.fips 2019-09-13 15:13:11.056525046 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_drbg_lib.c 2019-09-13 15:13:11.056525046 +0200 @@ -0,0 +1,528 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. @@ -4653,9 +4452,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1b/crypto/f +{ + /* Just backwards compatibility API call with no effect. */ +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_rand.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_rand.c.fips 2019-02-28 11:30:06.812745558 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_rand.c 2019-02-28 11:30:06.812745558 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1d/crypto/fips/fips_drbg_rand.c +--- openssl-1.1.1d/crypto/fips/fips_drbg_rand.c.fips 2019-09-13 15:13:11.056525046 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_drbg_rand.c 2019-09-13 15:13:11.056525046 +0200 @@ -0,0 +1,185 @@ +/* fips/rand/fips_drbg_rand.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -4842,9 +4641,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1b/crypto/ +{ + return &rand_drbg_meth; +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c.fips 2019-02-28 11:30:06.812745558 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c 2019-02-28 11:30:06.812745558 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1d/crypto/fips/fips_drbg_selftest.c +--- openssl-1.1.1d/crypto/fips/fips_drbg_selftest.c.fips 2019-09-13 15:13:11.057525028 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_drbg_selftest.c 2019-09-13 15:13:11.057525028 +0200 @@ -0,0 +1,828 @@ +/* fips/rand/fips_drbg_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -5674,9 +5473,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1b/cry + FIPS_drbg_free(dctx); + return rv; +} -diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h ---- openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h.fips 2019-02-28 11:30:06.813745540 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h 2019-02-28 11:30:06.813745540 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1d/crypto/fips/fips_drbg_selftest.h +--- openssl-1.1.1d/crypto/fips/fips_drbg_selftest.h.fips 2019-09-13 15:13:11.057525028 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_drbg_selftest.h 2019-09-13 15:13:11.057525028 +0200 @@ -0,0 +1,1791 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7469,9 +7268,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1b/cry + 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, + 0xc2, 0xd6, 0xfd, 0xa5 +}; -diff -up openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c 2019-02-28 11:30:06.814745521 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c +--- openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c.fips 2019-09-13 15:13:11.057525028 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c 2019-09-13 15:13:11.057525028 +0200 @@ -0,0 +1,195 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -7668,9 +7467,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1b/cryp + return ret; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c 2019-02-28 11:30:06.814745521 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c +--- openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c.fips 2019-09-13 15:13:11.058525011 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c 2019-09-13 15:13:11.058525011 +0200 @@ -0,0 +1,242 @@ +/* fips/ecdh/fips_ecdh_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -7914,9 +7713,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1b/cry +} + +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips 2019-02-28 11:30:06.814745521 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c 2019-02-28 11:30:06.814745521 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1d/crypto/fips/fips_ecdsa_selftest.c +--- openssl-1.1.1d/crypto/fips/fips_ecdsa_selftest.c.fips 2019-09-13 15:13:11.058525011 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_ecdsa_selftest.c 2019-09-13 15:13:11.058525011 +0200 @@ -0,0 +1,166 @@ +/* fips/ecdsa/fips_ecdsa_selftest.c */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -8084,9 +7883,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1b/cr +} + +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_err.h.fips openssl-1.1.1b/crypto/fips/fips_err.h ---- openssl-1.1.1b/crypto/fips/fips_err.h.fips 2019-05-06 16:08:46.792598211 +0200 -+++ openssl-1.1.1b/crypto/fips/fips_err.h 2019-05-06 16:19:56.403993551 +0200 +diff -up openssl-1.1.1d/crypto/fips/fips_err.h.fips openssl-1.1.1d/crypto/fips/fips_err.h +--- openssl-1.1.1d/crypto/fips/fips_err.h.fips 2019-09-13 15:13:11.058525011 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_err.h 2019-09-13 15:13:11.058525011 +0200 @@ -0,0 +1,197 @@ +/* crypto/fips_err.h */ +/* ==================================================================== @@ -8285,9 +8084,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_err.h.fips openssl-1.1.1b/crypto/fips/f +#endif + return 1; +} -diff -up openssl-1.1.1b/crypto/fips/fips_ers.c.fips openssl-1.1.1b/crypto/fips/fips_ers.c ---- openssl-1.1.1b/crypto/fips/fips_ers.c.fips 2019-02-28 11:30:06.815745503 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_ers.c 2019-02-28 11:30:06.815745503 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_ers.c.fips openssl-1.1.1d/crypto/fips/fips_ers.c +--- openssl-1.1.1d/crypto/fips/fips_ers.c.fips 2019-09-13 15:13:11.058525011 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_ers.c 2019-09-13 15:13:11.058525011 +0200 @@ -0,0 +1,7 @@ +#include + @@ -8296,9 +8095,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_ers.c.fips openssl-1.1.1b/crypto/fips/f +#else +static void *dummy = &dummy; +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c.fips 2019-02-28 11:30:06.815745503 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c 2019-02-28 11:30:06.815745503 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c +--- openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c.fips 2019-09-13 15:13:11.059524993 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c 2019-09-13 15:13:11.059524993 +0200 @@ -0,0 +1,134 @@ +/* ==================================================================== + * Copyright (c) 2005 The OpenSSL Project. All rights reserved. @@ -8434,9 +8233,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1b/cry + return 1; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_locl.h.fips openssl-1.1.1b/crypto/fips/fips_locl.h ---- openssl-1.1.1b/crypto/fips/fips_locl.h.fips 2019-02-28 11:30:06.815745503 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_locl.h 2019-02-28 11:30:06.815745503 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_locl.h.fips openssl-1.1.1d/crypto/fips/fips_locl.h +--- openssl-1.1.1d/crypto/fips/fips_locl.h.fips 2019-09-13 15:13:11.059524993 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_locl.h 2019-09-13 15:13:11.059524993 +0200 @@ -0,0 +1,71 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8509,9 +8308,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_locl.h.fips openssl-1.1.1b/crypto/fips/ +} +# endif +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/fips_post.c ---- openssl-1.1.1b/crypto/fips/fips_post.c.fips 2019-05-06 16:08:46.794598177 +0200 -+++ openssl-1.1.1b/crypto/fips/fips_post.c 2019-05-06 16:08:46.794598177 +0200 +diff -up openssl-1.1.1d/crypto/fips/fips_post.c.fips openssl-1.1.1d/crypto/fips/fips_post.c +--- openssl-1.1.1d/crypto/fips/fips_post.c.fips 2019-09-13 15:13:11.059524993 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_post.c 2019-09-13 15:13:11.059524993 +0200 @@ -0,0 +1,224 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -8737,9 +8536,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_post.c.fips openssl-1.1.1b/crypto/fips/ + return 1; +} +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1b/crypto/fips/fips_rand_lcl.h ---- openssl-1.1.1b/crypto/fips/fips_rand_lcl.h.fips 2019-02-28 11:30:06.816745484 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_rand_lcl.h 2019-02-28 11:30:06.816745484 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1d/crypto/fips/fips_rand_lcl.h +--- openssl-1.1.1d/crypto/fips/fips_rand_lcl.h.fips 2019-09-13 15:13:11.060524976 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_rand_lcl.h 2019-09-13 15:13:11.060524976 +0200 @@ -0,0 +1,203 @@ +/* fips/rand/fips_rand_lcl.h */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL @@ -8944,9 +8743,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1b/crypto/f +#define FIPS_digestupdate EVP_DigestUpdate +#define FIPS_digestfinal EVP_DigestFinal +#define M_EVP_MD_size EVP_MD_size -diff -up openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1b/crypto/fips/fips_rand_lib.c ---- openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips 2019-02-28 11:30:06.816745484 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_rand_lib.c 2019-02-28 11:30:06.816745484 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1d/crypto/fips/fips_rand_lib.c +--- openssl-1.1.1d/crypto/fips/fips_rand_lib.c.fips 2019-09-13 15:13:11.060524976 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_rand_lib.c 2019-09-13 15:13:11.060524976 +0200 @@ -0,0 +1,234 @@ +/* ==================================================================== + * Copyright (c) 2011 The OpenSSL Project. All rights reserved. @@ -9182,9 +8981,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1b/crypto/f +# endif +} + -diff -up openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips 2019-02-28 11:30:06.816745484 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c 2019-02-28 11:30:06.816745484 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1d/crypto/fips/fips_rsa_selftest.c +--- openssl-1.1.1d/crypto/fips/fips_rsa_selftest.c.fips 2019-09-13 15:13:11.060524976 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_rsa_selftest.c 2019-09-13 15:13:11.060524976 +0200 @@ -0,0 +1,338 @@ +/* ==================================================================== + * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. @@ -9524,9 +9323,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1b/cryp +} + +#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1b/crypto/fips/fips_sha_selftest.c ---- openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips 2019-05-06 16:08:46.795598159 +0200 -+++ openssl-1.1.1b/crypto/fips/fips_sha_selftest.c 2019-05-06 17:35:40.211316880 +0200 +diff -up openssl-1.1.1d/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1d/crypto/fips/fips_sha_selftest.c +--- openssl-1.1.1d/crypto/fips/fips_sha_selftest.c.fips 2019-09-13 15:13:11.060524976 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_sha_selftest.c 2019-09-13 15:13:11.060524976 +0200 @@ -0,0 +1,223 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9751,9 +9550,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1b/cryp +} + +#endif -diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c ---- openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips 2019-02-28 11:30:06.817745466 +0100 -+++ openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c 2019-02-28 11:30:06.817745466 +0100 +diff -up openssl-1.1.1d/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1d/crypto/fips/fips_standalone_hmac.c +--- openssl-1.1.1d/crypto/fips/fips_standalone_hmac.c.fips 2019-09-13 15:13:11.061524958 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_standalone_hmac.c 2019-09-13 15:13:11.061524958 +0200 @@ -0,0 +1,127 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -9882,9 +9681,9 @@ diff -up openssl-1.1.1b/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1b/c +#endif + return 0; +} -diff -up openssl-1.1.1c/crypto/hmac/hmac.c.fips openssl-1.1.1c/crypto/hmac/hmac.c ---- openssl-1.1.1c/crypto/hmac/hmac.c.fips 2019-05-29 15:46:19.138261106 +0200 -+++ openssl-1.1.1c/crypto/hmac/hmac.c 2019-05-29 15:49:09.508263133 +0200 +diff -up openssl-1.1.1d/crypto/hmac/hmac.c.fips openssl-1.1.1d/crypto/hmac/hmac.c +--- openssl-1.1.1d/crypto/hmac/hmac.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/hmac/hmac.c 2019-09-13 15:13:11.061524958 +0200 @@ -43,6 +43,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo return 0; @@ -9899,9 +9698,9 @@ diff -up openssl-1.1.1c/crypto/hmac/hmac.c.fips openssl-1.1.1c/crypto/hmac/hmac. reset = 1; j = EVP_MD_block_size(md); if (!ossl_assert(j <= (int)sizeof(ctx->key))) -diff -up openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1b/crypto/hmac/hm_pmeth.c ---- openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/hmac/hm_pmeth.c 2019-05-06 14:56:01.123257022 +0200 +diff -up openssl-1.1.1d/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1d/crypto/hmac/hm_pmeth.c +--- openssl-1.1.1d/crypto/hmac/hm_pmeth.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/hmac/hm_pmeth.c 2019-09-13 15:13:11.061524958 +0200 @@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C const EVP_PKEY_METHOD hmac_pkey_meth = { @@ -9911,9 +9710,9 @@ diff -up openssl-1.1.1b/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1b/crypto/hmac/h pkey_hmac_init, pkey_hmac_copy, pkey_hmac_cleanup, -diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/crypto/include/internal/fips_int.h ---- openssl-1.1.1b/crypto/include/internal/fips_int.h.fips 2019-02-28 11:30:06.817745466 +0100 -+++ openssl-1.1.1b/crypto/include/internal/fips_int.h 2019-02-28 11:30:06.817745466 +0100 +diff -up openssl-1.1.1d/crypto/include/internal/fips_int.h.fips openssl-1.1.1d/crypto/include/internal/fips_int.h +--- openssl-1.1.1d/crypto/include/internal/fips_int.h.fips 2019-09-13 15:13:11.061524958 +0200 ++++ openssl-1.1.1d/crypto/include/internal/fips_int.h 2019-09-13 15:13:11.061524958 +0200 @@ -0,0 +1,98 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -10013,9 +9812,9 @@ diff -up openssl-1.1.1b/crypto/include/internal/fips_int.h.fips openssl-1.1.1b/c +void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + +#endif -diff -up openssl-1.1.1b/crypto/o_fips.c.fips openssl-1.1.1b/crypto/o_fips.c ---- openssl-1.1.1b/crypto/o_fips.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/o_fips.c 2019-02-28 11:30:06.817745466 +0100 +diff -up openssl-1.1.1d/crypto/o_fips.c.fips openssl-1.1.1d/crypto/o_fips.c +--- openssl-1.1.1d/crypto/o_fips.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/o_fips.c 2019-09-13 15:13:11.061524958 +0200 @@ -8,17 +8,28 @@ */ @@ -10045,9 +9844,9 @@ diff -up openssl-1.1.1b/crypto/o_fips.c.fips openssl-1.1.1b/crypto/o_fips.c return 0; +#endif } -diff -up openssl-1.1.1b/crypto/o_init.c.fips openssl-1.1.1b/crypto/o_init.c ---- openssl-1.1.1b/crypto/o_init.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/o_init.c 2019-02-28 11:30:06.817745466 +0100 +diff -up openssl-1.1.1d/crypto/o_init.c.fips openssl-1.1.1d/crypto/o_init.c +--- openssl-1.1.1d/crypto/o_init.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/o_init.c 2019-09-13 15:13:11.062524941 +0200 @@ -7,8 +7,68 @@ * https://www.openssl.org/source/license.html */ @@ -10117,9 +9916,9 @@ diff -up openssl-1.1.1b/crypto/o_init.c.fips openssl-1.1.1b/crypto/o_init.c /* * Perform any essential OpenSSL initialization operations. Currently does -diff -up openssl-1.1.1b/crypto/rand/rand_lib.c.fips openssl-1.1.1b/crypto/rand/rand_lib.c ---- openssl-1.1.1b/crypto/rand/rand_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rand/rand_lib.c 2019-02-28 11:30:06.818745447 +0100 +diff -up openssl-1.1.1d/crypto/rand/rand_lib.c.fips openssl-1.1.1d/crypto/rand/rand_lib.c +--- openssl-1.1.1d/crypto/rand/rand_lib.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rand/rand_lib.c 2019-09-13 15:13:11.062524941 +0200 @@ -16,6 +16,10 @@ #include "internal/thread_once.h" #include "rand_lcl.h" @@ -10131,7 +9930,7 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lib.c.fips openssl-1.1.1b/crypto/rand/r #ifndef OPENSSL_NO_ENGINE /* non-NULL if default_RAND_meth is ENGINE-provided */ -@@ -857,3 +861,15 @@ int RAND_status(void) +@@ -959,3 +963,15 @@ int RAND_status(void) return meth->status(); return 0; } @@ -10147,9 +9946,9 @@ diff -up openssl-1.1.1b/crypto/rand/rand_lib.c.fips openssl-1.1.1b/crypto/rand/r + return 1; +} +#endif -diff -up openssl-1.1.1b/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1b/crypto/rsa/rsa_crpt.c ---- openssl-1.1.1b/crypto/rsa/rsa_crpt.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_crpt.c 2019-02-28 11:30:06.818745447 +0100 +diff -up openssl-1.1.1d/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1d/crypto/rsa/rsa_crpt.c +--- openssl-1.1.1d/crypto/rsa/rsa_crpt.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rsa/rsa_crpt.c 2019-09-13 15:13:11.062524941 +0200 @@ -27,24 +27,52 @@ int RSA_size(const RSA *r) int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -10203,9 +10002,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1b/crypto/rsa/rsa return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding); } -diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_err.c ---- openssl-1.1.1b/crypto/rsa/rsa_err.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_err.c 2019-02-28 11:30:06.818745447 +0100 +diff -up openssl-1.1.1d/crypto/rsa/rsa_err.c.fips openssl-1.1.1d/crypto/rsa/rsa_err.c +--- openssl-1.1.1d/crypto/rsa/rsa_err.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rsa/rsa_err.c 2019-09-13 15:13:11.062524941 +0200 @@ -16,6 +16,8 @@ static const ERR_STRING_DATA RSA_str_functs[] = { {ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"}, @@ -10248,7 +10047,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_ {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"}, {0, NULL} }; -@@ -181,6 +192,7 @@ static const ERR_STRING_DATA RSA_str_rea +@@ -183,6 +194,7 @@ static const ERR_STRING_DATA RSA_str_rea "mp exponent not congruent to d"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"}, @@ -10256,7 +10055,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING), "null before block missing"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES), -@@ -189,6 +201,8 @@ static const ERR_STRING_DATA RSA_str_rea +@@ -191,6 +203,8 @@ static const ERR_STRING_DATA RSA_str_rea "n does not equal p q"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR), "oaep decoding error"}, @@ -10265,7 +10064,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED), -@@ -224,6 +238,8 @@ static const ERR_STRING_DATA RSA_str_rea +@@ -226,6 +240,8 @@ static const ERR_STRING_DATA RSA_str_rea "unsupported mask algorithm"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_MASK_PARAMETER), "unsupported mask parameter"}, @@ -10274,9 +10073,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_err.c.fips openssl-1.1.1b/crypto/rsa/rsa_ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"}, {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"}, -diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.fips openssl-1.1.1b/crypto/rsa/rsa_gen.c ---- openssl-1.1.1b/crypto/rsa/rsa_gen.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_gen.c 2019-02-28 11:30:06.818745447 +0100 +diff -up openssl-1.1.1d/crypto/rsa/rsa_gen.c.fips openssl-1.1.1d/crypto/rsa/rsa_gen.c +--- openssl-1.1.1d/crypto/rsa/rsa_gen.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rsa/rsa_gen.c 2019-09-13 15:13:11.063524923 +0200 @@ -18,6 +18,76 @@ #include "internal/cryptlib.h" #include @@ -10669,9 +10468,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_gen.c.fips openssl-1.1.1b/crypto/rsa/rsa_ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, BN_GENCB *cb) { -diff -up openssl-1.1.1b/crypto/rsa/rsa_lib.c.fips openssl-1.1.1b/crypto/rsa/rsa_lib.c ---- openssl-1.1.1b/crypto/rsa/rsa_lib.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_lib.c 2019-02-28 11:30:06.819745428 +0100 +diff -up openssl-1.1.1d/crypto/rsa/rsa_lib.c.fips openssl-1.1.1d/crypto/rsa/rsa_lib.c +--- openssl-1.1.1d/crypto/rsa/rsa_lib.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rsa/rsa_lib.c 2019-09-13 15:13:11.063524923 +0200 @@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M * to deal with which ENGINE it comes from. */ @@ -10714,9 +10513,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_lib.c.fips openssl-1.1.1b/crypto/rsa/rsa_ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { goto err; } -diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa_ossl.c ---- openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_ossl.c 2019-02-28 11:31:57.315691372 +0100 +diff -up openssl-1.1.1d/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1d/crypto/rsa/rsa_ossl.c +--- openssl-1.1.1d/crypto/rsa/rsa_ossl.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rsa/rsa_ossl.c 2019-09-13 15:13:11.063524923 +0200 @@ -12,6 +12,10 @@ #include "rsa_locl.h" #include "internal/constant_time_locl.h" @@ -10764,7 +10563,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); return -1; -@@ -247,6 +273,22 @@ static int rsa_ossl_private_encrypt(int +@@ -246,6 +272,22 @@ static int rsa_ossl_private_encrypt(int BIGNUM *unblind = NULL; BN_BLINDING *blinding = NULL; @@ -10787,7 +10586,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa if ((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); -@@ -377,6 +419,22 @@ static int rsa_ossl_private_decrypt(int +@@ -380,6 +422,22 @@ static int rsa_ossl_private_decrypt(int BIGNUM *unblind = NULL; BN_BLINDING *blinding = NULL; @@ -10810,7 +10609,7 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa if ((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); -@@ -500,6 +558,22 @@ static int rsa_ossl_public_decrypt(int f +@@ -507,6 +565,22 @@ static int rsa_ossl_public_decrypt(int f unsigned char *buf = NULL; BN_CTX *ctx = NULL; @@ -10833,9 +10632,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1b/crypto/rsa/rsa if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); return -1; -diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1b/crypto/rsa/rsa_pmeth.c ---- openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips 2019-05-06 14:48:26.514174053 +0200 -+++ openssl-1.1.1b/crypto/rsa/rsa_pmeth.c 2019-05-06 14:45:46.732956649 +0200 +diff -up openssl-1.1.1d/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1d/crypto/rsa/rsa_pmeth.c +--- openssl-1.1.1d/crypto/rsa/rsa_pmeth.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rsa/rsa_pmeth.c 2019-09-13 15:13:11.063524923 +0200 @@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX const EVP_PKEY_METHOD rsa_pkey_meth = { @@ -10854,9 +10653,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1b/crypto/rsa/rs pkey_rsa_init, pkey_rsa_copy, pkey_rsa_cleanup, -diff -up openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips openssl-1.1.1b/crypto/rsa/rsa_sign.c ---- openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/rsa/rsa_sign.c 2019-02-28 11:30:06.819745428 +0100 +diff -up openssl-1.1.1d/crypto/rsa/rsa_sign.c.fips openssl-1.1.1d/crypto/rsa/rsa_sign.c +--- openssl-1.1.1d/crypto/rsa/rsa_sign.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/rsa/rsa_sign.c 2019-09-13 15:13:11.064524906 +0200 @@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch unsigned char *tmps = NULL; const unsigned char *encoded = NULL; @@ -10883,9 +10682,9 @@ diff -up openssl-1.1.1b/crypto/rsa/rsa_sign.c.fips openssl-1.1.1b/crypto/rsa/rsa if (encrypt_len <= 0) goto err; -diff -up openssl-1.1.1b/crypto/sha/sha256.c.fips openssl-1.1.1b/crypto/sha/sha256.c ---- openssl-1.1.1b/crypto/sha/sha256.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/sha/sha256.c 2019-02-28 11:30:06.819745428 +0100 +diff -up openssl-1.1.1d/crypto/sha/sha256.c.fips openssl-1.1.1d/crypto/sha/sha256.c +--- openssl-1.1.1d/crypto/sha/sha256.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/sha/sha256.c 2019-09-13 15:13:11.064524906 +0200 @@ -18,6 +18,9 @@ int SHA224_Init(SHA256_CTX *c) @@ -10906,9 +10705,9 @@ diff -up openssl-1.1.1b/crypto/sha/sha256.c.fips openssl-1.1.1b/crypto/sha/sha25 memset(c, 0, sizeof(*c)); c->h[0] = 0x6a09e667UL; c->h[1] = 0xbb67ae85UL; -diff -up openssl-1.1.1b/crypto/sha/sha512.c.fips openssl-1.1.1b/crypto/sha/sha512.c ---- openssl-1.1.1b/crypto/sha/sha512.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/sha/sha512.c 2019-02-28 11:30:06.820745410 +0100 +diff -up openssl-1.1.1d/crypto/sha/sha512.c.fips openssl-1.1.1d/crypto/sha/sha512.c +--- openssl-1.1.1d/crypto/sha/sha512.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/sha/sha512.c 2019-09-13 15:13:11.064524906 +0200 @@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c) int SHA384_Init(SHA512_CTX *c) @@ -10929,9 +10728,9 @@ diff -up openssl-1.1.1b/crypto/sha/sha512.c.fips openssl-1.1.1b/crypto/sha/sha51 c->h[0] = U64(0x6a09e667f3bcc908); c->h[1] = U64(0xbb67ae8584caa73b); c->h[2] = U64(0x3c6ef372fe94f82b); -diff -up openssl-1.1.1b/crypto/sha/sha_locl.h.fips openssl-1.1.1b/crypto/sha/sha_locl.h ---- openssl-1.1.1b/crypto/sha/sha_locl.h.fips 2019-02-28 11:30:06.628748979 +0100 -+++ openssl-1.1.1b/crypto/sha/sha_locl.h 2019-02-28 11:30:06.820745410 +0100 +diff -up openssl-1.1.1d/crypto/sha/sha_locl.h.fips openssl-1.1.1d/crypto/sha/sha_locl.h +--- openssl-1.1.1d/crypto/sha/sha_locl.h.fips 2019-09-13 15:13:10.837528873 +0200 ++++ openssl-1.1.1d/crypto/sha/sha_locl.h 2019-09-13 15:13:11.064524906 +0200 @@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c int HASH_INIT(SHA_CTX *c) @@ -10942,9 +10741,9 @@ diff -up openssl-1.1.1b/crypto/sha/sha_locl.h.fips openssl-1.1.1b/crypto/sha/sha memset(c, 0, sizeof(*c)); c->h0 = INIT_DATA_h0; c->h1 = INIT_DATA_h1; -diff -up openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod ---- openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod 2019-02-28 11:30:06.820745410 +0100 +diff -up openssl-1.1.1d/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1d/doc/man3/DSA_generate_parameters.pod +--- openssl-1.1.1d/doc/man3/DSA_generate_parameters.pod.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/doc/man3/DSA_generate_parameters.pod 2019-09-13 15:13:11.064524906 +0200 @@ -30,8 +30,10 @@ B is the length of the prime p to For lengths under 2048 bits, the length of q is 160 bits; for lengths greater than or equal to 2048 bits, the length of q is set to 256 bits. @@ -10958,9 +10757,9 @@ diff -up openssl-1.1.1b/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1b DSA_generate_parameters_ex() places the iteration count in *B and a counter used for finding a generator in -diff -up openssl-1.1.1b/include/openssl/crypto.h.fips openssl-1.1.1b/include/openssl/crypto.h ---- openssl-1.1.1b/include/openssl/crypto.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/crypto.h 2019-02-28 11:30:06.820745410 +0100 +diff -up openssl-1.1.1d/include/openssl/crypto.h.fips openssl-1.1.1d/include/openssl/crypto.h +--- openssl-1.1.1d/include/openssl/crypto.h.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/crypto.h 2019-09-13 15:13:11.065524888 +0200 @@ -331,6 +331,11 @@ int OPENSSL_isservice(void); int FIPS_mode(void); int FIPS_mode_set(int r); @@ -10973,10 +10772,10 @@ diff -up openssl-1.1.1b/include/openssl/crypto.h.fips openssl-1.1.1b/include/ope void OPENSSL_init(void); # ifdef OPENSSL_SYS_UNIX void OPENSSL_fork_prepare(void); -diff -up openssl-1.1.1b/include/openssl/dherr.h.fips openssl-1.1.1b/include/openssl/dherr.h ---- openssl-1.1.1b/include/openssl/dherr.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/dherr.h 2019-02-28 11:30:06.820745410 +0100 -@@ -32,6 +32,9 @@ int ERR_load_DH_strings(void); +diff -up openssl-1.1.1d/include/openssl/dherr.h.fips openssl-1.1.1d/include/openssl/dherr.h +--- openssl-1.1.1d/include/openssl/dherr.h.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/dherr.h 2019-09-13 15:13:11.065524888 +0200 +@@ -36,6 +36,9 @@ int ERR_load_DH_strings(void); # define DH_F_DH_CMS_DECRYPT 114 # define DH_F_DH_CMS_SET_PEERKEY 115 # define DH_F_DH_CMS_SET_SHARED_INFO 116 @@ -10986,7 +10785,7 @@ diff -up openssl-1.1.1b/include/openssl/dherr.h.fips openssl-1.1.1b/include/open # define DH_F_DH_METH_DUP 117 # define DH_F_DH_METH_NEW 118 # define DH_F_DH_METH_SET1_NAME 119 -@@ -69,12 +72,14 @@ int ERR_load_DH_strings(void); +@@ -73,12 +76,14 @@ int ERR_load_DH_strings(void); # define DH_R_INVALID_PARAMETER_NID 114 # define DH_R_INVALID_PUBKEY 102 # define DH_R_KDF_PARAMETER_ERROR 112 @@ -11001,9 +10800,9 @@ diff -up openssl-1.1.1b/include/openssl/dherr.h.fips openssl-1.1.1b/include/open # define DH_R_PARAMETER_ENCODING_ERROR 105 # define DH_R_PEER_KEY_ERROR 111 # define DH_R_SHARED_INFO_ERROR 113 -diff -up openssl-1.1.1b/include/openssl/dh.h.fips openssl-1.1.1b/include/openssl/dh.h ---- openssl-1.1.1b/include/openssl/dh.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/dh.h 2019-02-28 11:30:06.820745410 +0100 +diff -up openssl-1.1.1d/include/openssl/dh.h.fips openssl-1.1.1d/include/openssl/dh.h +--- openssl-1.1.1d/include/openssl/dh.h.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/dh.h 2019-09-13 15:13:11.065524888 +0200 @@ -31,6 +31,7 @@ extern "C" { # endif @@ -11012,10 +10811,10 @@ diff -up openssl-1.1.1b/include/openssl/dh.h.fips openssl-1.1.1b/include/openssl # define DH_FLAG_CACHE_MONT_P 0x01 -diff -up openssl-1.1.1b/include/openssl/dsaerr.h.fips openssl-1.1.1b/include/openssl/dsaerr.h ---- openssl-1.1.1b/include/openssl/dsaerr.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/dsaerr.h 2019-02-28 11:30:06.821745391 +0100 -@@ -25,8 +25,11 @@ int ERR_load_DSA_strings(void); +diff -up openssl-1.1.1d/include/openssl/dsaerr.h.fips openssl-1.1.1d/include/openssl/dsaerr.h +--- openssl-1.1.1d/include/openssl/dsaerr.h.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/dsaerr.h 2019-09-13 15:16:32.263008157 +0200 +@@ -29,8 +29,11 @@ int ERR_load_DSA_strings(void); */ # define DSA_F_DSAPARAMS_PRINT 100 # define DSA_F_DSAPARAMS_PRINT_FP 101 @@ -11027,22 +10826,23 @@ diff -up openssl-1.1.1b/include/openssl/dsaerr.h.fips openssl-1.1.1b/include/ope # define DSA_F_DSA_DO_SIGN 112 # define DSA_F_DSA_DO_VERIFY 113 # define DSA_F_DSA_METH_DUP 127 -@@ -56,9 +59,12 @@ int ERR_load_DSA_strings(void); +@@ -60,10 +63,13 @@ int ERR_load_DSA_strings(void); # define DSA_R_DECODE_ERROR 104 # define DSA_R_INVALID_DIGEST_TYPE 106 # define DSA_R_INVALID_PARAMETERS 112 +# define DSA_R_KEY_SIZE_INVALID 201 +# define DSA_R_KEY_SIZE_TOO_SMALL 202 # define DSA_R_MISSING_PARAMETERS 101 + # define DSA_R_MISSING_PRIVATE_KEY 111 # define DSA_R_MODULUS_TOO_LARGE 103 # define DSA_R_NO_PARAMETERS_SET 107 +# define DSA_R_NON_FIPS_DSA_METHOD 200 # define DSA_R_PARAMETER_ENCODING_ERROR 105 # define DSA_R_Q_NOT_PRIME 113 # define DSA_R_SEED_LEN_SMALL 110 -diff -up openssl-1.1.1b/include/openssl/dsa.h.fips openssl-1.1.1b/include/openssl/dsa.h ---- openssl-1.1.1b/include/openssl/dsa.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/dsa.h 2019-02-28 11:30:06.821745391 +0100 +diff -up openssl-1.1.1d/include/openssl/dsa.h.fips openssl-1.1.1d/include/openssl/dsa.h +--- openssl-1.1.1d/include/openssl/dsa.h.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/dsa.h 2019-09-13 15:13:11.065524888 +0200 @@ -31,6 +31,7 @@ extern "C" { # endif @@ -11051,26 +10851,29 @@ diff -up openssl-1.1.1b/include/openssl/dsa.h.fips openssl-1.1.1b/include/openss # define DSA_FLAG_CACHE_MONT_P 0x01 # if OPENSSL_API_COMPAT < 0x10100000L -diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/openssl/evperr.h ---- openssl-1.1.1b/include/openssl/evperr.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/evperr.h 2019-05-06 16:40:21.324571446 +0200 -@@ -20,11 +20,15 @@ int ERR_load_EVP_strings(void); +diff -up openssl-1.1.1d/include/openssl/evperr.h.fips openssl-1.1.1d/include/openssl/evperr.h +--- openssl-1.1.1d/include/openssl/evperr.h.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/evperr.h 2019-09-13 15:18:17.552167810 +0200 +@@ -24,14 +24,15 @@ int ERR_load_EVP_strings(void); * EVP function codes. */ # define EVP_F_AESNI_INIT_KEY 165 +-# define EVP_F_AESNI_XTS_INIT_KEY 207 +# define EVP_F_AESNI_XTS_INIT_KEY 233 # define EVP_F_AES_GCM_CTRL 196 # define EVP_F_AES_INIT_KEY 133 # define EVP_F_AES_OCB_CIPHER 169 # define EVP_F_AES_T4_INIT_KEY 178 +-# define EVP_F_AES_T4_XTS_INIT_KEY 208 +# define EVP_F_AES_T4_XTS_INIT_KEY 234 # define EVP_F_AES_WRAP_CIPHER 170 +-# define EVP_F_AES_XTS_INIT_KEY 209 +# define EVP_F_AES_XTS_CIPHER 229 +# define EVP_F_AES_XTS_INIT_KEY 235 # define EVP_F_ALG_MODULE_INIT 177 # define EVP_F_ARIA_CCM_INIT_KEY 175 # define EVP_F_ARIA_GCM_CTRL 197 -@@ -133,6 +134,7 @@ int ERR_load_EVP_strings(void); +@@ -142,6 +143,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 # define EVP_R_DECODE_ERROR 114 @@ -11078,7 +10881,7 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/ope # define EVP_R_DIFFERENT_KEY_TYPES 101 # define EVP_R_DIFFERENT_PARAMETERS 153 # define EVP_R_ERROR_LOADING_SECTION 165 -@@ -175,6 +177,7 @@ int ERR_load_EVP_strings(void); +@@ -184,6 +186,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 # define EVP_R_PUBLIC_KEY_NOT_RSA 106 @@ -11086,18 +10889,19 @@ diff -up openssl-1.1.1b/include/openssl/evperr.h.fips openssl-1.1.1b/include/ope # define EVP_R_UNKNOWN_CIPHER 160 # define EVP_R_UNKNOWN_DIGEST 161 # define EVP_R_UNKNOWN_OPTION 169 -@@ -190,5 +193,7 @@ int ERR_load_EVP_strings(void); +@@ -199,6 +202,7 @@ int ERR_load_EVP_strings(void); # define EVP_R_UNSUPPORTED_SALT_TYPE 126 # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 +-# define EVP_R_XTS_DUPLICATED_KEYS 183 +# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191 +# define EVP_R_XTS_DUPLICATED_KEYS 192 #endif -diff -up openssl-1.1.1b/include/openssl/evp.h.fips openssl-1.1.1b/include/openssl/evp.h ---- openssl-1.1.1b/include/openssl/evp.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/evp.h 2019-05-06 14:54:13.213136281 +0200 -@@ -1319,6 +1319,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP +diff -up openssl-1.1.1d/include/openssl/evp.h.fips openssl-1.1.1d/include/openssl/evp.h +--- openssl-1.1.1d/include/openssl/evp.h.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/evp.h 2019-09-13 15:13:11.066524871 +0200 +@@ -1324,6 +1324,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP */ # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4 @@ -11107,9 +10911,9 @@ diff -up openssl-1.1.1b/include/openssl/evp.h.fips openssl-1.1.1b/include/openss const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type); EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags); void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags, -diff -up openssl-1.1.1b/include/openssl/fips.h.fips openssl-1.1.1b/include/openssl/fips.h ---- openssl-1.1.1b/include/openssl/fips.h.fips 2019-05-06 16:08:46.800598073 +0200 -+++ openssl-1.1.1b/include/openssl/fips.h 2019-05-06 16:43:12.874549821 +0200 +diff -up openssl-1.1.1d/include/openssl/fips.h.fips openssl-1.1.1d/include/openssl/fips.h +--- openssl-1.1.1d/include/openssl/fips.h.fips 2019-09-13 15:13:11.066524871 +0200 ++++ openssl-1.1.1d/include/openssl/fips.h 2019-09-13 15:13:11.066524871 +0200 @@ -0,0 +1,187 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11298,9 +11102,9 @@ diff -up openssl-1.1.1b/include/openssl/fips.h.fips openssl-1.1.1b/include/opens +} +# endif +#endif -diff -up openssl-1.1.1b/include/openssl/fips_rand.h.fips openssl-1.1.1b/include/openssl/fips_rand.h ---- openssl-1.1.1b/include/openssl/fips_rand.h.fips 2019-02-28 11:30:06.821745391 +0100 -+++ openssl-1.1.1b/include/openssl/fips_rand.h 2019-02-28 11:30:06.821745391 +0100 +diff -up openssl-1.1.1d/include/openssl/fips_rand.h.fips openssl-1.1.1d/include/openssl/fips_rand.h +--- openssl-1.1.1d/include/openssl/fips_rand.h.fips 2019-09-13 15:13:11.066524871 +0200 ++++ openssl-1.1.1d/include/openssl/fips_rand.h 2019-09-13 15:13:11.066524871 +0200 @@ -0,0 +1,145 @@ +/* ==================================================================== + * Copyright (c) 2003 The OpenSSL Project. All rights reserved. @@ -11447,9 +11251,9 @@ diff -up openssl-1.1.1b/include/openssl/fips_rand.h.fips openssl-1.1.1b/include/ +# endif +# endif +#endif -diff -up openssl-1.1.1b/include/openssl/opensslconf.h.in.fips openssl-1.1.1b/include/openssl/opensslconf.h.in ---- openssl-1.1.1b/include/openssl/opensslconf.h.in.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/opensslconf.h.in 2019-02-28 11:30:06.822745372 +0100 +diff -up openssl-1.1.1d/include/openssl/opensslconf.h.in.fips openssl-1.1.1d/include/openssl/opensslconf.h.in +--- openssl-1.1.1d/include/openssl/opensslconf.h.in.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/opensslconf.h.in 2019-09-13 15:13:11.067524853 +0200 @@ -150,6 +150,11 @@ extern "C" { #define RC4_INT {- $config{rc4_int} -} @@ -11462,10 +11266,10 @@ diff -up openssl-1.1.1b/include/openssl/opensslconf.h.in.fips openssl-1.1.1b/inc #ifdef __cplusplus } #endif -diff -up openssl-1.1.1b/include/openssl/randerr.h.fips openssl-1.1.1b/include/openssl/randerr.h ---- openssl-1.1.1b/include/openssl/randerr.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/randerr.h 2019-02-28 11:30:06.822745372 +0100 -@@ -35,6 +35,7 @@ int ERR_load_RAND_strings(void); +diff -up openssl-1.1.1d/include/openssl/randerr.h.fips openssl-1.1.1d/include/openssl/randerr.h +--- openssl-1.1.1d/include/openssl/randerr.h.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/randerr.h 2019-09-13 15:13:11.067524853 +0200 +@@ -37,6 +37,7 @@ int ERR_load_RAND_strings(void); # define RAND_F_RAND_DRBG_SET 104 # define RAND_F_RAND_DRBG_SET_DEFAULTS 121 # define RAND_F_RAND_DRBG_UNINSTANTIATE 118 @@ -11473,9 +11277,9 @@ diff -up openssl-1.1.1b/include/openssl/randerr.h.fips openssl-1.1.1b/include/op # define RAND_F_RAND_LOAD_FILE 111 # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122 # define RAND_F_RAND_POOL_ADD 103 -diff -up openssl-1.1.1b/include/openssl/rand.h.fips openssl-1.1.1b/include/openssl/rand.h ---- openssl-1.1.1b/include/openssl/rand.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/rand.h 2019-02-28 11:30:06.822745372 +0100 +diff -up openssl-1.1.1d/include/openssl/rand.h.fips openssl-1.1.1d/include/openssl/rand.h +--- openssl-1.1.1d/include/openssl/rand.h.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/rand.h 2019-09-13 15:13:11.067524853 +0200 @@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) # endif @@ -11488,10 +11292,10 @@ diff -up openssl-1.1.1b/include/openssl/rand.h.fips openssl-1.1.1b/include/opens #ifdef __cplusplus } -diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/openssl/rsaerr.h ---- openssl-1.1.1b/include/openssl/rsaerr.h.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/include/openssl/rsaerr.h 2019-02-28 11:30:06.822745372 +0100 -@@ -21,6 +21,7 @@ int ERR_load_RSA_strings(void); +diff -up openssl-1.1.1d/include/openssl/rsaerr.h.fips openssl-1.1.1d/include/openssl/rsaerr.h +--- openssl-1.1.1d/include/openssl/rsaerr.h.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/include/openssl/rsaerr.h 2019-09-13 15:13:11.067524853 +0200 +@@ -25,6 +25,7 @@ int ERR_load_RSA_strings(void); */ # define RSA_F_CHECK_PADDING_MD 140 # define RSA_F_ENCODE_PKCS1 146 @@ -11499,7 +11303,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope # define RSA_F_INT_RSA_VERIFY 145 # define RSA_F_OLD_RSA_PRIV_DECODE 147 # define RSA_F_PKEY_PSS_INIT 165 -@@ -35,6 +36,8 @@ int ERR_load_RSA_strings(void); +@@ -39,6 +40,8 @@ int ERR_load_RSA_strings(void); # define RSA_F_RSA_CHECK_KEY_EX 160 # define RSA_F_RSA_CMS_DECRYPT 159 # define RSA_F_RSA_CMS_VERIFY 158 @@ -11508,7 +11312,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope # define RSA_F_RSA_ITEM_VERIFY 148 # define RSA_F_RSA_METH_DUP 161 # define RSA_F_RSA_METH_NEW 162 -@@ -72,10 +75,16 @@ int ERR_load_RSA_strings(void); +@@ -76,10 +79,16 @@ int ERR_load_RSA_strings(void); # define RSA_F_RSA_PRINT_FP 116 # define RSA_F_RSA_PRIV_DECODE 150 # define RSA_F_RSA_PRIV_ENCODE 138 @@ -11525,7 +11329,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope # define RSA_F_RSA_SIGN 117 # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 # define RSA_F_RSA_VERIFY 119 -@@ -132,10 +141,12 @@ int ERR_load_RSA_strings(void); +@@ -137,10 +146,12 @@ int ERR_load_RSA_strings(void); # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169 # define RSA_R_MP_R_NOT_PRIME 170 # define RSA_R_NO_PUBLIC_EXPONENT 140 @@ -11538,7 +11342,7 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 # define RSA_R_PADDING_CHECK_FAILED 114 # define RSA_R_PKCS_DECODING_ERROR 159 -@@ -155,6 +166,7 @@ int ERR_load_RSA_strings(void); +@@ -160,6 +171,7 @@ int ERR_load_RSA_strings(void); # define RSA_R_UNSUPPORTED_LABEL_SOURCE 163 # define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153 # define RSA_R_UNSUPPORTED_MASK_PARAMETER 154 @@ -11546,9 +11350,9 @@ diff -up openssl-1.1.1b/include/openssl/rsaerr.h.fips openssl-1.1.1b/include/ope # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 # define RSA_R_VALUE_MISSING 147 # define RSA_R_WRONG_SIGNATURE_LENGTH 119 -diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c ---- openssl-1.1.1b/ssl/ssl_ciph.c.fips 2019-02-28 11:30:06.776746228 +0100 -+++ openssl-1.1.1b/ssl/ssl_ciph.c 2019-02-28 11:30:06.822745372 +0100 +diff -up openssl-1.1.1d/ssl/ssl_ciph.c.fips openssl-1.1.1d/ssl/ssl_ciph.c +--- openssl-1.1.1d/ssl/ssl_ciph.c.fips 2019-09-13 15:13:11.019525692 +0200 ++++ openssl-1.1.1d/ssl/ssl_ciph.c 2019-09-13 15:13:11.068524836 +0200 @@ -387,7 +387,7 @@ int ssl_load_ciphers(void) } } @@ -11577,7 +11381,7 @@ diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c if ((c->algorithm_mkey & disabled_mkey) || (c->algorithm_auth & disabled_auth) || (c->algorithm_enc & disabled_enc) || -@@ -1670,7 +1675,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1671,7 +1676,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ for (curr = head; curr != NULL; curr = curr->next) { @@ -11587,9 +11391,9 @@ diff -up openssl-1.1.1b/ssl/ssl_ciph.c.fips openssl-1.1.1b/ssl/ssl_ciph.c if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { OPENSSL_free(co_list); sk_SSL_CIPHER_free(cipherstack); -diff -up openssl-1.1.1b/ssl/ssl_init.c.fips openssl-1.1.1b/ssl/ssl_init.c ---- openssl-1.1.1b/ssl/ssl_init.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/ssl/ssl_init.c 2019-02-28 11:30:06.823745354 +0100 +diff -up openssl-1.1.1d/ssl/ssl_init.c.fips openssl-1.1.1d/ssl/ssl_init.c +--- openssl-1.1.1d/ssl/ssl_init.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/ssl/ssl_init.c 2019-09-13 15:13:11.068524836 +0200 @@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " "Adding SSL ciphers and digests\n"); @@ -11633,10 +11437,10 @@ diff -up openssl-1.1.1b/ssl/ssl_init.c.fips openssl-1.1.1b/ssl/ssl_init.c #ifndef OPENSSL_NO_COMP # ifdef OPENSSL_INIT_DEBUG fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " -diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c ---- openssl-1.1.1b/ssl/ssl_lib.c.fips 2019-02-28 11:30:06.776746228 +0100 -+++ openssl-1.1.1b/ssl/ssl_lib.c 2019-02-28 11:30:06.823745354 +0100 -@@ -2908,6 +2908,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m +diff -up openssl-1.1.1d/ssl/ssl_lib.c.fips openssl-1.1.1d/ssl/ssl_lib.c +--- openssl-1.1.1d/ssl/ssl_lib.c.fips 2019-09-13 15:13:11.019525692 +0200 ++++ openssl-1.1.1d/ssl/ssl_lib.c 2019-09-13 15:13:11.069524818 +0200 +@@ -2916,6 +2916,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) return NULL; @@ -11648,7 +11452,7 @@ diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; -@@ -2964,13 +2969,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m +@@ -2972,13 +2977,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m if (ret->param == NULL) goto err; @@ -11673,10 +11477,10 @@ diff -up openssl-1.1.1b/ssl/ssl_lib.c.fips openssl-1.1.1b/ssl/ssl_lib.c } if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) -diff -up openssl-1.1.1c/ssl/ssl_locl.h.fips openssl-1.1.1c/ssl/ssl_locl.h ---- openssl-1.1.1c/ssl/ssl_locl.h.fips 2019-06-03 16:44:58.963560101 +0200 -+++ openssl-1.1.1c/ssl/ssl_locl.h 2019-06-24 14:43:19.547353076 +0200 -@@ -1507,6 +1507,7 @@ typedef struct tls_group_info_st { +diff -up openssl-1.1.1d/ssl/ssl_locl.h.fips openssl-1.1.1d/ssl/ssl_locl.h +--- openssl-1.1.1d/ssl/ssl_locl.h.fips 2019-09-13 15:13:10.901527755 +0200 ++++ openssl-1.1.1d/ssl/ssl_locl.h 2019-09-13 15:13:11.069524818 +0200 +@@ -1516,6 +1516,7 @@ typedef struct tls_group_info_st { # define TLS_CURVE_PRIME 0x0 # define TLS_CURVE_CHAR2 0x1 # define TLS_CURVE_CUSTOM 0x2 @@ -11684,10 +11488,10 @@ diff -up openssl-1.1.1c/ssl/ssl_locl.h.fips openssl-1.1.1c/ssl/ssl_locl.h typedef struct cert_pkey_st CERT_PKEY; -diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c ---- openssl-1.1.1c/ssl/t1_lib.c.fips 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/ssl/t1_lib.c 2019-06-24 14:49:00.638576235 +0200 -@@ -156,11 +156,11 @@ static const TLS_GROUP_INFO nid_list[] = +diff -up openssl-1.1.1d/ssl/t1_lib.c.fips openssl-1.1.1d/ssl/t1_lib.c +--- openssl-1.1.1d/ssl/t1_lib.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/ssl/t1_lib.c 2019-09-13 15:13:11.069524818 +0200 +@@ -158,11 +158,11 @@ static const TLS_GROUP_INFO nid_list[] = {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ @@ -11703,7 +11507,7 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ -@@ -255,6 +255,8 @@ int tls_curve_allowed(SSL *s, uint16_t c +@@ -257,6 +257,8 @@ int tls_curve_allowed(SSL *s, uint16_t c if (cinfo->flags & TLS_CURVE_CHAR2) return 0; # endif @@ -11712,9 +11516,9 @@ diff -up openssl-1.1.1c/ssl/t1_lib.c.fips openssl-1.1.1c/ssl/t1_lib.c ctmp[0] = curve >> 8; ctmp[1] = curve & 0xff; return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); -diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c ---- openssl-1.1.1b/test/dsatest.c.fips 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/dsatest.c 2019-02-28 11:30:06.824745335 +0100 +diff -up openssl-1.1.1d/test/dsatest.c.fips openssl-1.1.1d/test/dsatest.c +--- openssl-1.1.1d/test/dsatest.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/dsatest.c 2019-09-13 15:13:11.070524801 +0200 @@ -24,41 +24,42 @@ #ifndef OPENSSL_NO_DSA static int dsa_cb(int p, int n, BN_GENCB *arg); @@ -11797,10 +11601,10 @@ diff -up openssl-1.1.1b/test/dsatest.c.fips openssl-1.1.1b/test/dsatest.c goto end; if (!TEST_int_eq(h, 2)) goto end; -diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt ---- openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips 2019-05-06 16:08:46.857597085 +0200 -+++ openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt 2019-05-06 16:35:37.917563292 +0200 -@@ -1184,6 +1184,7 @@ Key = 0000000000000000000000000000000000 +diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1d/test/recipes/30-test_evp_data/evpciph.txt +--- openssl-1.1.1d/test/recipes/30-test_evp_data/evpciph.txt.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpciph.txt 2019-09-13 15:13:11.070524801 +0200 +@@ -1206,6 +1206,7 @@ Key = 0000000000000000000000000000000000 IV = 00000000000000000000000000000000 Plaintext = 0000000000000000000000000000000000000000000000000000000000000000 Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e @@ -11808,13 +11612,13 @@ diff -up openssl-1.1.1b/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1 Cipher = aes-128-xts Key = 1111111111111111111111111111111122222222222222222222222222222222 -diff -up openssl-1.1.1c/util/libcrypto.num.fips openssl-1.1.1c/util/libcrypto.num ---- openssl-1.1.1c/util/libcrypto.num.fips 2019-05-29 15:46:19.154260824 +0200 -+++ openssl-1.1.1c/util/libcrypto.num 2019-05-29 15:50:10.390191805 +0200 -@@ -4580,3 +4580,38 @@ EVP_PKEY_meth_get_digest_custom - OPENSSL_INIT_set_config_filename 4534 1_1_1b EXIST::FUNCTION:STDIO - OPENSSL_INIT_set_config_file_flags 4535 1_1_1b EXIST::FUNCTION:STDIO +diff -up openssl-1.1.1d/util/libcrypto.num.fips openssl-1.1.1d/util/libcrypto.num +--- openssl-1.1.1d/util/libcrypto.num.fips 2019-09-13 15:13:11.071524783 +0200 ++++ openssl-1.1.1d/util/libcrypto.num 2019-09-13 15:15:39.895923481 +0200 +@@ -4582,3 +4582,38 @@ OPENSSL_INIT_set_config_file_flags EVP_PKEY_get0_engine 4536 1_1_1c EXIST::FUNCTION:ENGINE + X509_get0_authority_serial 4537 1_1_1d EXIST::FUNCTION: + X509_get0_authority_issuer 4538 1_1_1d EXIST::FUNCTION: +FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION: +FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION: +FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION: diff --git a/openssl-1.1.1-no-brainpool.patch b/openssl-1.1.1-no-brainpool.patch index 2ab6fc9..90c87a8 100644 --- a/openssl-1.1.1-no-brainpool.patch +++ b/openssl-1.1.1-no-brainpool.patch @@ -1,17 +1,16 @@ -diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in ---- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in 2019-05-07 11:52:35.885597934 +0200 -@@ -141,22 +141,23 @@ our @tests = ( +diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in +--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in 2019-09-13 15:11:07.358687169 +0200 +@@ -147,22 +147,22 @@ our @tests = ( { name => "ECDSA with brainpool", server => { - "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), - "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), - "Groups" => "brainpoolP256r1", -+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), ++ "Certificate" => test_pem("server-ecdsa-cert.pem"), ++ "PrivateKey" => test_pem("server-ecdsa-key.pem"), +# "Groups" => "brainpoolP256r1", -+ "CipherString" => "aNULL", }, client => { #We don't restrict this to TLSv1.2, although use of brainpool @@ -32,17 +31,16 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens "ExpectedResult" => "Success" }, }, -@@ -787,18 +788,19 @@ my @tests_tls_1_3 = ( +@@ -853,18 +853,18 @@ my @tests_tls_1_3 = ( { name => "TLS 1.3 ECDSA with brainpool", server => { - "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), - "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), - "Groups" => "brainpoolP256r1", -+# "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -+# "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), ++ "Certificate" => test_pem("server-ecdsa-cert.pem"), ++ "PrivateKey" => test_pem("server-ecdsa-key.pem"), +# "Groups" => "brainpoolP256r1", -+ "CipherString" => "aNULL", }, client => { "RequestCAFile" => test_pem("root-cert.pem"), @@ -57,20 +55,19 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.in.no-brainpool opens }, }, ); -diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1b/test/ssl-tests/20-cert-select.conf ---- openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/test/ssl-tests/20-cert-select.conf 2019-05-07 12:15:12.762907496 +0200 -@@ -233,23 +233,18 @@ server = 5-ECDSA with brainpool-server +diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf +--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf 2019-09-13 15:12:27.380288469 +0200 +@@ -238,23 +238,18 @@ server = 5-ECDSA with brainpool-server client = 5-ECDSA with brainpool-client [5-ECDSA with brainpool-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem --CipherString = DEFAULT ++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem + CipherString = DEFAULT -Groups = brainpoolP256r1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = aNULL -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem [5-ECDSA with brainpool-client] CipherString = aECDSA @@ -87,28 +84,27 @@ diff -up openssl-1.1.1b/test/ssl-tests/20-cert-select.conf.no-brainpool openssl- # =========================================================== -@@ -1577,14 +1572,12 @@ server = 47-TLS 1.3 ECDSA with brainpool - client = 47-TLS 1.3 ECDSA with brainpool-client +@@ -1713,14 +1708,12 @@ server = 52-TLS 1.3 ECDSA with brainpool + client = 52-TLS 1.3 ECDSA with brainpool-client - [47-TLS 1.3 ECDSA with brainpool-server] + [52-TLS 1.3 ECDSA with brainpool-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem --CipherString = DEFAULT ++Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem + CipherString = DEFAULT -Groups = brainpoolP256r1 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -+CipherString = aNULL -+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - [47-TLS 1.3 ECDSA with brainpool-client] + [52-TLS 1.3 ECDSA with brainpool-client] CipherString = DEFAULT -Groups = brainpoolP256r1 MaxProtocol = TLSv1.3 MinProtocol = TLSv1.3 RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -@@ -1592,7 +1585,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro +@@ -1728,7 +1721,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro VerifyMode = Peer - [test-47] + [test-52] -ExpectedResult = ServerFail +ExpectedResult = Success diff --git a/openssl-1.1.1-no-html.patch b/openssl-1.1.1-no-html.patch new file mode 100644 index 0000000..6688d1c --- /dev/null +++ b/openssl-1.1.1-no-html.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.1.1d/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1d/Configurations/unix-Makefile.tmpl +--- openssl-1.1.1d/Configurations/unix-Makefile.tmpl.no-html 2019-09-13 15:00:32.976774673 +0200 ++++ openssl-1.1.1d/Configurations/unix-Makefile.tmpl 2019-09-13 15:02:22.283864321 +0200 +@@ -544,7 +544,7 @@ install_sw: install_dev install_engines + + uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev + +-install_docs: install_man_docs install_html_docs ++install_docs: install_man_docs + + uninstall_docs: uninstall_man_docs uninstall_html_docs + $(RM) -r $(DESTDIR)$(DOCDIR) diff --git a/openssl-1.1.1-upstream-sync.patch b/openssl-1.1.1-upstream-sync.patch index 7e03b8d..86448a0 100644 --- a/openssl-1.1.1-upstream-sync.patch +++ b/openssl-1.1.1-upstream-sync.patch @@ -1,534 +1,153 @@ -diff -up openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync openssl-1.1.1c/crypto/dsa/dsa_ameth.c ---- openssl-1.1.1c/crypto/dsa/dsa_ameth.c.sync 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/crypto/dsa/dsa_ameth.c 2019-05-29 17:10:39.768187283 +0200 -@@ -503,7 +503,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey, - - case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha256; -- return 2; -+ return 1; - - default: - return -2; -diff -up openssl-1.1.1c/crypto/err/err.c.sync openssl-1.1.1c/crypto/err/err.c ---- openssl-1.1.1c/crypto/err/err.c.sync 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/crypto/err/err.c 2019-05-29 17:07:13.345793792 +0200 -@@ -184,8 +184,8 @@ static ERR_STRING_DATA *int_err_get_item - } - - #ifndef OPENSSL_NO_ERR --/* A measurement on Linux 2018-11-21 showed about 3.5kib */ --# define SPACE_SYS_STR_REASONS 4 * 1024 -+/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */ -+# define SPACE_SYS_STR_REASONS 8 * 1024 - # define NUM_SYS_STR_REASONS 127 - - static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1]; -@@ -219,21 +219,23 @@ static void build_SYS_str_reasons(void) - ERR_STRING_DATA *str = &SYS_str_reasons[i - 1]; - - str->error = ERR_PACK(ERR_LIB_SYS, 0, i); -- if (str->string == NULL) { -+ /* -+ * If we have used up all the space in strerror_pool, -+ * there's no point in calling openssl_strerror_r() -+ */ -+ if (str->string == NULL && cnt < sizeof(strerror_pool)) { - if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) { - size_t l = strlen(cur); - - str->string = cur; - cnt += l; -- if (cnt > sizeof(strerror_pool)) -- cnt = sizeof(strerror_pool); - cur += l; - - /* - * VMS has an unusual quirk of adding spaces at the end of -- * some (most? all?) messages. Lets trim them off. -+ * some (most? all?) messages. Lets trim them off. - */ -- while (ossl_isspace(cur[-1])) { -+ while (cur > strerror_pool && ossl_isspace(cur[-1])) { - cur--; - cnt--; - } -diff -up openssl-1.1.1c/crypto/rand/rand_lib.c.sync openssl-1.1.1c/crypto/rand/rand_lib.c ---- openssl-1.1.1c/crypto/rand/rand_lib.c.sync 2019-05-29 17:20:17.175099183 +0200 -+++ openssl-1.1.1c/crypto/rand/rand_lib.c 2019-05-30 11:51:20.784850208 +0200 -@@ -239,8 +239,9 @@ size_t rand_drbg_get_nonce(RAND_DRBG *dr - struct { - void * instance; - int count; -- } data = { NULL, 0 }; -+ } data; - -+ memset(&data, 0, sizeof(data)); - pool = rand_pool_new(0, min_len, max_len); - if (pool == NULL) - return 0; -From 6c2f347c78a530407b5310497080810094427920 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 17 Apr 2019 11:09:05 +0100 -Subject: [PATCH 1/2] Defer sending a KeyUpdate until after pending writes are - complete +commit 515c728dbaa92211d2eafb0041ab9fcd258fdc41 +Author: Bernd Edlinger +Date: Mon Sep 9 19:12:25 2019 +0200 -If we receive a KeyUpdate message (update requested) from the peer while -we are in the middle of a write, we should defer sending the responding -KeyUpdate message until after the current write is complete. We do this -by waiting to send the KeyUpdate until the next time we write and there is -no pending write data. + Fix potential memory leaks with BN_to_ASN1_INTEGER + + Reviewed-by: Paul Dale + Reviewed-by: Matt Caswell + (Merged from https://github.com/openssl/openssl/pull/9833) + + (cherry picked from commit f28bc7d386b25fb75625d0c62c6b2e6d21de0d09) -This does imply a subtle change in behaviour. Firstly the responding -KeyUpdate message won't be sent straight away as it is now. Secondly if -the peer sends multiple KeyUpdates without us doing any writing then we -will only send one response, as opposed to previously where we sent a -response for each KeyUpdate received. - -Fixes #8677 - -Reviewed-by: Ben Kaduk -(Merged from https://github.com/openssl/openssl/pull/8773) - -(cherry picked from commit feb9e31c40c49de6384dd0413685e9b5a15adc99) ---- - ssl/record/rec_layer_s3.c | 7 +++++++ - ssl/statem/statem_clnt.c | 6 ------ - ssl/statem/statem_lib.c | 7 ++----- - ssl/statem/statem_srvr.c | 6 ------ - 4 files changed, 9 insertions(+), 17 deletions(-) - -diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c -index b2f97ef905..b65137c332 100644 ---- a/ssl/record/rec_layer_s3.c -+++ b/ssl/record/rec_layer_s3.c -@@ -373,6 +373,13 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, +diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c +index 1ce1181fc1..7cbf8de981 100644 +--- a/crypto/ec/ec_asn1.c ++++ b/crypto/ec/ec_asn1.c +@@ -446,6 +446,7 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, + unsigned char *buffer = NULL; + const EC_POINT *point = NULL; + point_conversion_form_t form; ++ ASN1_INTEGER *orig; - s->rlayer.wnum = 0; - -+ /* -+ * If we are supposed to be sending a KeyUpdate then go into init unless we -+ * have writes pending - in which case we should finish doing that first. -+ */ -+ if (wb->left == 0 && s->key_update != SSL_KEY_UPDATE_NONE) -+ ossl_statem_set_in_init(s, 1); -+ - /* - * When writing early data on the server side we could be "in_init" in - * between receiving the EoED and the CF - but we don't want to handle those -diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c -index 87800cd835..6410414fb6 100644 ---- a/ssl/statem/statem_clnt.c -+++ b/ssl/statem/statem_clnt.c -@@ -473,12 +473,6 @@ static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) - return WRITE_TRAN_CONTINUE; - - case TLS_ST_CR_KEY_UPDATE: -- if (s->key_update != SSL_KEY_UPDATE_NONE) { -- st->hand_state = TLS_ST_CW_KEY_UPDATE; -- return WRITE_TRAN_CONTINUE; -- } -- /* Fall through */ -- - case TLS_ST_CW_KEY_UPDATE: - case TLS_ST_CR_SESSION_TICKET: - case TLS_ST_CW_FINISHED: -diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c -index c0482b0a90..2960dafa52 100644 ---- a/ssl/statem/statem_lib.c -+++ b/ssl/statem/statem_lib.c -@@ -645,12 +645,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) - /* - * If we get a request for us to update our sending keys too then, we need - * to additionally send a KeyUpdate message. However that message should -- * not also request an update (otherwise we get into an infinite loop). We -- * ignore a request for us to update our sending keys too if we already -- * sent close_notify. -+ * not also request an update (otherwise we get into an infinite loop). - */ -- if (updatetype == SSL_KEY_UPDATE_REQUESTED -- && (s->shutdown & SSL_SENT_SHUTDOWN) == 0) -+ if (updatetype == SSL_KEY_UPDATE_REQUESTED) - s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; - - if (!tls13_update_key(s, 0)) { -diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c -index d454326a99..04a23320fc 100644 ---- a/ssl/statem/statem_srvr.c -+++ b/ssl/statem/statem_srvr.c -@@ -502,12 +502,6 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) - return WRITE_TRAN_CONTINUE; - - case TLS_ST_SR_KEY_UPDATE: -- if (s->key_update != SSL_KEY_UPDATE_NONE) { -- st->hand_state = TLS_ST_SW_KEY_UPDATE; -- return WRITE_TRAN_CONTINUE; -- } -- /* Fall through */ -- - case TLS_ST_SW_KEY_UPDATE: - st->hand_state = TLS_ST_OK; - return WRITE_TRAN_CONTINUE; --- -2.20.1 - -From c8feb1039ccc4cd11e6db084df1446bf863bee1e Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 17 Apr 2019 10:30:53 +0100 -Subject: [PATCH 2/2] Write a test for receiving a KeyUpdate (update requested) - while writing - -Reviewed-by: Ben Kaduk -(Merged from https://github.com/openssl/openssl/pull/8773) - -(cherry picked from commit a77b4dba237d001073d2d1c5d55c674a196c949f) ---- - test/sslapitest.c | 92 +++++++++++++++++++++++++++++++++++++++++++++ - test/ssltestlib.c | 96 +++++++++++++++++++++++++++++++++++++++++++++++ - test/ssltestlib.h | 3 ++ - 3 files changed, 191 insertions(+) - -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 2261fe4a7a..577342644d 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -4290,6 +4290,11 @@ static int test_key_update(void) - || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)), - strlen(mess))) - goto end; -+ -+ if (!TEST_int_eq(SSL_write(serverssl, mess, strlen(mess)), strlen(mess)) -+ || !TEST_int_eq(SSL_read(clientssl, buf, sizeof(buf)), -+ strlen(mess))) -+ goto end; + if (params == NULL) { + if ((ret = ECPARAMETERS_new()) == NULL) { +@@ -496,8 +497,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, + ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB); + goto err; } - - testresult = 1; -@@ -4302,6 +4307,91 @@ static int test_key_update(void) - - return testresult; - } -+ -+/* -+ * Test we can handle a KeyUpdate (update requested) message while write data -+ * is pending. -+ * Test 0: Client sends KeyUpdate while Server is writing -+ * Test 1: Server sends KeyUpdate while Client is writing -+ */ -+static int test_key_update_in_write(int tst) -+{ -+ SSL_CTX *cctx = NULL, *sctx = NULL; -+ SSL *clientssl = NULL, *serverssl = NULL; -+ int testresult = 0; -+ char buf[20]; -+ static char *mess = "A test message"; -+ BIO *bretry = BIO_new(bio_s_always_retry()); -+ BIO *tmp = NULL; -+ SSL *peerupdate = NULL, *peerwrite = NULL; -+ -+ if (!TEST_ptr(bretry) -+ || !TEST_true(create_ssl_ctx_pair(TLS_server_method(), -+ TLS_client_method(), -+ TLS1_3_VERSION, -+ 0, -+ &sctx, &cctx, cert, privkey)) -+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, -+ NULL, NULL)) -+ || !TEST_true(create_ssl_connection(serverssl, clientssl, -+ SSL_ERROR_NONE))) -+ goto end; -+ -+ peerupdate = tst == 0 ? clientssl : serverssl; -+ peerwrite = tst == 0 ? serverssl : clientssl; -+ -+ if (!TEST_true(SSL_key_update(peerupdate, SSL_KEY_UPDATE_REQUESTED)) -+ || !TEST_true(SSL_do_handshake(peerupdate))) -+ goto end; -+ -+ /* Swap the writing endpoint's write BIO to force a retry */ -+ tmp = SSL_get_wbio(peerwrite); -+ if (!TEST_ptr(tmp) || !TEST_true(BIO_up_ref(tmp))) { -+ tmp = NULL; -+ goto end; -+ } -+ SSL_set0_wbio(peerwrite, bretry); -+ bretry = NULL; -+ -+ /* Write data that we know will fail with SSL_ERROR_WANT_WRITE */ -+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), -1) -+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_WRITE)) -+ goto end; -+ -+ /* Reinstate the original writing endpoint's write BIO */ -+ SSL_set0_wbio(peerwrite, tmp); -+ tmp = NULL; -+ -+ /* Now read some data - we will read the key update */ -+ if (!TEST_int_eq(SSL_read(peerwrite, buf, sizeof(buf)), -1) -+ || !TEST_int_eq(SSL_get_error(peerwrite, 0), SSL_ERROR_WANT_READ)) -+ goto end; -+ -+ /* -+ * Complete the write we started previously and read it from the other -+ * endpoint -+ */ -+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess)) -+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess))) -+ goto end; -+ -+ /* Write more data to ensure we send the KeyUpdate message back */ -+ if (!TEST_int_eq(SSL_write(peerwrite, mess, strlen(mess)), strlen(mess)) -+ || !TEST_int_eq(SSL_read(peerupdate, buf, sizeof(buf)), strlen(mess))) -+ goto end; -+ -+ testresult = 1; -+ -+ end: -+ SSL_free(serverssl); -+ SSL_free(clientssl); -+ SSL_CTX_free(sctx); -+ SSL_CTX_free(cctx); -+ BIO_free(bretry); -+ BIO_free(tmp); -+ -+ return testresult; -+} - #endif /* OPENSSL_NO_TLS1_3 */ - - static int test_ssl_clear(int idx) -@@ -5982,6 +6072,7 @@ int setup_tests(void) - #ifndef OPENSSL_NO_TLS1_3 - ADD_ALL_TESTS(test_export_key_mat_early, 3); - ADD_TEST(test_key_update); -+ ADD_ALL_TESTS(test_key_update_in_write, 2); - #endif - ADD_ALL_TESTS(test_ssl_clear, 2); - ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test)); -@@ -6002,4 +6093,5 @@ int setup_tests(void) - void cleanup_tests(void) +- ret->order = BN_to_ASN1_INTEGER(tmp, ret->order); ++ ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order); + if (ret->order == NULL) { ++ ret->order = orig; + ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB); + goto err; + } +@@ -505,8 +507,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, + /* set the cofactor (optional) */ + tmp = EC_GROUP_get0_cofactor(group); + if (tmp != NULL) { +- ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor); ++ ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor); + if (ret->cofactor == NULL) { ++ ret->cofactor = orig; + ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB); + goto err; + } +diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c +index 089f2ae29f..ef2d64826f 100644 +--- a/crypto/x509v3/v3_asid.c ++++ b/crypto/x509v3/v3_asid.c +@@ -256,6 +256,7 @@ static int extract_min_max(ASIdOrRange *aor, + static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) { - bio_s_mempacket_test_free(); -+ bio_s_always_retry_free(); - } -diff --git a/test/ssltestlib.c b/test/ssltestlib.c -index 05139be750..e1038620ac 100644 ---- a/test/ssltestlib.c -+++ b/test/ssltestlib.c -@@ -62,9 +62,11 @@ static int tls_dump_puts(BIO *bp, const char *str); - /* Choose a sufficiently large type likely to be unused for this custom BIO */ - #define BIO_TYPE_TLS_DUMP_FILTER (0x80 | BIO_TYPE_FILTER) - #define BIO_TYPE_MEMPACKET_TEST 0x81 -+#define BIO_TYPE_ALWAYS_RETRY 0x82 + ASN1_INTEGER *a_max_plus_one = NULL; ++ ASN1_INTEGER *orig; + BIGNUM *bn = NULL; + int i, ret = 0; - static BIO_METHOD *method_tls_dump = NULL; - static BIO_METHOD *meth_mem = NULL; -+static BIO_METHOD *meth_always_retry = NULL; +@@ -298,9 +299,15 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) + */ + if ((bn == NULL && (bn = BN_new()) == NULL) || + ASN1_INTEGER_to_BN(a_max, bn) == NULL || +- !BN_add_word(bn, 1) || +- (a_max_plus_one = +- BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { ++ !BN_add_word(bn, 1)) { ++ X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, ++ ERR_R_MALLOC_FAILURE); ++ goto done; ++ } ++ ++ if ((a_max_plus_one = ++ BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { ++ a_max_plus_one = orig; + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, + ERR_R_MALLOC_FAILURE); + goto done; +@@ -351,6 +358,7 @@ int X509v3_asid_is_canonical(ASIdentifiers *asid) + static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) + { + ASN1_INTEGER *a_max_plus_one = NULL; ++ ASN1_INTEGER *orig; + BIGNUM *bn = NULL; + int i, ret = 0; - /* Note: Not thread safe! */ - const BIO_METHOD *bio_f_tls_dump_filter(void) -@@ -612,6 +614,100 @@ static int mempacket_test_puts(BIO *bio, const char *str) - return mempacket_test_write(bio, str, strlen(str)); - } - -+static int always_retry_new(BIO *bi); -+static int always_retry_free(BIO *a); -+static int always_retry_read(BIO *b, char *out, int outl); -+static int always_retry_write(BIO *b, const char *in, int inl); -+static long always_retry_ctrl(BIO *b, int cmd, long num, void *ptr); -+static int always_retry_gets(BIO *bp, char *buf, int size); -+static int always_retry_puts(BIO *bp, const char *str); +@@ -416,9 +424,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) + */ + if ((bn == NULL && (bn = BN_new()) == NULL) || + ASN1_INTEGER_to_BN(a_max, bn) == NULL || +- !BN_add_word(bn, 1) || +- (a_max_plus_one = +- BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { ++ !BN_add_word(bn, 1)) { ++ X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, ++ ERR_R_MALLOC_FAILURE); ++ goto done; ++ } + -+const BIO_METHOD *bio_s_always_retry(void) -+{ -+ if (meth_always_retry == NULL) { -+ if (!TEST_ptr(meth_always_retry = BIO_meth_new(BIO_TYPE_ALWAYS_RETRY, -+ "Always Retry")) -+ || !TEST_true(BIO_meth_set_write(meth_always_retry, -+ always_retry_write)) -+ || !TEST_true(BIO_meth_set_read(meth_always_retry, -+ always_retry_read)) -+ || !TEST_true(BIO_meth_set_puts(meth_always_retry, -+ always_retry_puts)) -+ || !TEST_true(BIO_meth_set_gets(meth_always_retry, -+ always_retry_gets)) -+ || !TEST_true(BIO_meth_set_ctrl(meth_always_retry, -+ always_retry_ctrl)) -+ || !TEST_true(BIO_meth_set_create(meth_always_retry, -+ always_retry_new)) -+ || !TEST_true(BIO_meth_set_destroy(meth_always_retry, -+ always_retry_free))) -+ return NULL; -+ } -+ return meth_always_retry; -+} -+ -+void bio_s_always_retry_free(void) -+{ -+ BIO_meth_free(meth_always_retry); -+} -+ -+static int always_retry_new(BIO *bio) -+{ -+ BIO_set_init(bio, 1); -+ return 1; -+} -+ -+static int always_retry_free(BIO *bio) -+{ -+ BIO_set_data(bio, NULL); -+ BIO_set_init(bio, 0); -+ return 1; -+} -+ -+static int always_retry_read(BIO *bio, char *out, int outl) -+{ -+ BIO_set_retry_read(bio); -+ return -1; -+} -+ -+static int always_retry_write(BIO *bio, const char *in, int inl) -+{ -+ BIO_set_retry_write(bio); -+ return -1; -+} -+ -+static long always_retry_ctrl(BIO *bio, int cmd, long num, void *ptr) -+{ -+ long ret = 1; -+ -+ switch (cmd) { -+ case BIO_CTRL_FLUSH: -+ BIO_set_retry_write(bio); -+ /* fall through */ -+ case BIO_CTRL_EOF: -+ case BIO_CTRL_RESET: -+ case BIO_CTRL_DUP: -+ case BIO_CTRL_PUSH: -+ case BIO_CTRL_POP: -+ default: -+ ret = 0; -+ break; -+ } -+ return ret; -+} -+ -+static int always_retry_gets(BIO *bio, char *buf, int size) -+{ -+ BIO_set_retry_read(bio); -+ return -1; -+} -+ -+static int always_retry_puts(BIO *bio, const char *str) -+{ -+ BIO_set_retry_write(bio); -+ return -1; -+} -+ - int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, - int min_proto_version, int max_proto_version, - SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, -diff --git a/test/ssltestlib.h b/test/ssltestlib.h -index fa19e7d80d..56e323f5bc 100644 ---- a/test/ssltestlib.h -+++ b/test/ssltestlib.h -@@ -30,6 +30,9 @@ void bio_f_tls_dump_filter_free(void); - const BIO_METHOD *bio_s_mempacket_test(void); - void bio_s_mempacket_test_free(void); - -+const BIO_METHOD *bio_s_always_retry(void); -+void bio_s_always_retry_free(void); -+ - /* Packet types - value 0 is reserved */ - #define INJECT_PACKET 1 - #define INJECT_PACKET_IGNORE_REC_SEQ 2 --- -2.20.1 ++ if ((a_max_plus_one = ++ BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) { ++ a_max_plus_one = orig; + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, + ERR_R_MALLOC_FAILURE); + goto done; +commit 86ed78676c660b553696cc10c682962522dfeb6c +Author: Tomas Mraz +Date: Thu Sep 12 12:27:36 2019 +0200 -diff -up openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind openssl-1.1.1c/include/internal/constant_time_locl.h ---- openssl-1.1.1c/include/internal/constant_time_locl.h.valgrind 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/include/internal/constant_time_locl.h 2019-06-24 15:02:12.796053536 +0200 -@@ -213,18 +213,66 @@ static ossl_inline unsigned char constan - return constant_time_eq_8((unsigned)(a), (unsigned)(b)); - } + BIO_f_zlib: Properly handle BIO_CTRL_PENDING and BIO_CTRL_WPENDING calls. + + There can be data to write in output buffer and data to read that were + not yet read in the input stream. + + Fixes #9866 + + Reviewed-by: Richard Levitte + (Merged from https://github.com/openssl/openssl/pull/9877) + + (cherry picked from commit 6beb8b39ba8e4cb005c1fcd2586ba19e17f04b95) + +diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c +index d688deee5f..7c1be358fd 100644 +--- a/crypto/comp/c_zlib.c ++++ b/crypto/comp/c_zlib.c +@@ -598,6 +598,28 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr) + BIO_copy_next_retry(b); + break; -+/* Returns the value unmodified, but avoids optimizations. */ -+static ossl_inline unsigned int value_barrier(unsigned int a) -+{ -+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) -+ unsigned int r; -+ __asm__("" : "=r"(r) : "0"(a)); -+#else -+ volatile unsigned int r = a; -+#endif -+ return r; -+} ++ case BIO_CTRL_WPENDING: ++ if (ctx->obuf == NULL) ++ return 0; + -+/* Convenience method for uint32_t. */ -+static ossl_inline uint32_t value_barrier_32(uint32_t a) -+{ -+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) -+ uint32_t r; -+ __asm__("" : "=r"(r) : "0"(a)); -+#else -+ volatile uint32_t r = a; -+#endif -+ return r; -+} ++ if (ctx->odone) { ++ ret = ctx->ocount; ++ } else { ++ ret = ctx->ocount; ++ if (ret == 0) ++ /* Unknown amount pending but we are not finished */ ++ ret = 1; ++ } ++ if (ret == 0) ++ ret = BIO_ctrl(next, cmd, num, ptr); ++ break; + -+/* Convenience method for uint64_t. */ -+static ossl_inline uint64_t value_barrier_64(uint64_t a) -+{ -+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) -+ uint64_t r; -+ __asm__("" : "=r"(r) : "0"(a)); -+#else -+ volatile uint64_t r = a; -+#endif -+ return r; -+} ++ case BIO_CTRL_PENDING: ++ ret = ctx->zin.avail_in; ++ if (ret == 0) ++ ret = BIO_ctrl(next, cmd, num, ptr); ++ break; + -+/* Convenience method for size_t. */ -+static ossl_inline size_t value_barrier_s(size_t a) -+{ -+#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) -+ size_t r; -+ __asm__("" : "=r"(r) : "0"(a)); -+#else -+ volatile size_t r = a; -+#endif -+ return r; -+} -+ - static ossl_inline unsigned int constant_time_select(unsigned int mask, - unsigned int a, - unsigned int b) - { -- return (mask & a) | (~mask & b); -+ return (value_barrier(mask) & a) | (value_barrier(~mask) & b); - } - - static ossl_inline size_t constant_time_select_s(size_t mask, - size_t a, - size_t b) - { -- return (mask & a) | (~mask & b); -+ return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b); - } - - static ossl_inline unsigned char constant_time_select_8(unsigned char mask, -@@ -249,13 +297,13 @@ static ossl_inline int constant_time_sel - static ossl_inline uint32_t constant_time_select_32(uint32_t mask, uint32_t a, - uint32_t b) - { -- return (mask & a) | (~mask & b); -+ return (value_barrier_32(mask) & a) | (value_barrier_32(~mask) & b); - } - - static ossl_inline uint64_t constant_time_select_64(uint64_t mask, uint64_t a, - uint64_t b) - { -- return (mask & a) | (~mask & b); -+ return (value_barrier_64(mask) & a) | (value_barrier_64(~mask) & b); - } - - /* + default: + ret = BIO_ctrl(next, cmd, num, ptr); + break; diff --git a/openssl-1.1.1-version-override.patch b/openssl-1.1.1-version-override.patch index 7970b84..cbecb90 100644 --- a/openssl-1.1.1-version-override.patch +++ b/openssl-1.1.1-version-override.patch @@ -1,12 +1,12 @@ -diff -up openssl-1.1.1c/include/openssl/opensslv.h.version-override openssl-1.1.1c/include/openssl/opensslv.h ---- openssl-1.1.1c/include/openssl/opensslv.h.version-override 2019-05-29 15:52:30.014734859 +0200 -+++ openssl-1.1.1c/include/openssl/opensslv.h 2019-05-29 15:53:23.093800831 +0200 +diff -up openssl-1.1.1d/include/openssl/opensslv.h.version-override openssl-1.1.1d/include/openssl/opensslv.h +--- openssl-1.1.1d/include/openssl/opensslv.h.version-override 2019-09-13 15:26:32.606500244 +0200 ++++ openssl-1.1.1d/include/openssl/opensslv.h 2019-09-13 15:27:03.805950866 +0200 @@ -40,7 +40,7 @@ extern "C" { * major minor fix final patch/beta) */ - # define OPENSSL_VERSION_NUMBER 0x1010103fL --# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c 28 May 2019" -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1c FIPS 28 May 2019" + # define OPENSSL_VERSION_NUMBER 0x1010104fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1d 10 Sep 2019" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1d FIPS 10 Sep 2019" /*- * The macros below are to be used for shared library (.so, .dll, ...) diff --git a/openssl.spec b/openssl.spec index 0670bd8..2f6fdfc 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,8 +21,8 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 1.1.1c -Release: 6%{?dist} +Version: 1.1.1d +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -40,7 +40,7 @@ Source13: ectest.c # Build changes Patch1: openssl-1.1.1-build.patch Patch2: openssl-1.1.1-defaults.patch -Patch3: openssl-1.1.0-no-html.patch +Patch3: openssl-1.1.1-no-html.patch Patch4: openssl-1.1.1-man-rename.patch # Bug fixes Patch21: openssl-1.1.0-issuer-hash.patch @@ -454,6 +454,9 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Fri Sep 13 2019 Tomáš Mráz 1.1.1d-1 +- update to the 1.1.1d release + * Fri Sep 6 2019 Tomáš Mráz 1.1.1c-6 - upstream fix for status request extension non-compliance (#1737471) diff --git a/sources b/sources index 1c013a4..787f150 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-1.1.1c-hobbled.tar.xz) = e6476209366d284bd02dca7e59a7ba2562aa7c58c91f0063b1e2b0f1a7f96fcff000e26d9c6f59b944e047b3305d237ed442f702ddd2e8c6c7a4d5b12e23c8db +SHA512 (openssl-1.1.1d-hobbled.tar.xz) = c350e4669b82dcbc7fcc997726e376392e2ee0c92c37a952eb02369f05780a8d1b0c265f6264ce0e7619e44200d2d057e3fdcb0fe22c168dfb28e9381841fc00 From 10c30b232214e3b6d2f50ec17043fc949f73393a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 27 Sep 2019 08:36:50 +0200 Subject: [PATCH 4/8] Re-add one hunk of the fips patch accidentally dropped in the rebase. --- openssl-1.1.1-fips.patch | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 9ccdcbf..fd6633d 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -1108,7 +1108,25 @@ diff -up openssl-1.1.1d/crypto/evp/e_aes.c.fips openssl-1.1.1d/crypto/evp/e_aes. /* Allocate memory for IV if needed */ if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { if (gctx->iv != c->iv) -@@ -3380,7 +3385,7 @@ static int aes_xts_init_key(EVP_CIPHER_C +@@ -3318,11 +3323,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX + | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH) + + BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | ++ CUSTOM_FLAGS) + BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | ++ CUSTOM_FLAGS) + BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, +- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) ++ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | ++ CUSTOM_FLAGS) + + static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { +@@ -3380,7 +3388,7 @@ static int aes_xts_init_key(EVP_CIPHER_C * BEFORE using the keys in the XTS-AES algorithm to process * data with them." */ @@ -1117,7 +1135,7 @@ diff -up openssl-1.1.1d/crypto/evp/e_aes.c.fips openssl-1.1.1d/crypto/evp/e_aes. EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); return 0; } -@@ -3484,6 +3489,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -3484,6 +3492,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX return 0; if (!out || !in || len < AES_BLOCK_SIZE) return 0; @@ -1132,7 +1150,7 @@ diff -up openssl-1.1.1d/crypto/evp/e_aes.c.fips openssl-1.1.1d/crypto/evp/e_aes. if (xctx->stream) (*xctx->stream) (in, out, len, xctx->xts.key1, xctx->xts.key2, -@@ -3501,8 +3514,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX +@@ -3501,8 +3517,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ | EVP_CIPH_CUSTOM_COPY) @@ -1145,7 +1163,7 @@ diff -up openssl-1.1.1d/crypto/evp/e_aes.c.fips openssl-1.1.1d/crypto/evp/e_aes. static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { -@@ -3772,11 +3787,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX +@@ -3772,11 +3790,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX #define aes_ccm_cleanup NULL BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, @@ -1160,7 +1178,7 @@ diff -up openssl-1.1.1d/crypto/evp/e_aes.c.fips openssl-1.1.1d/crypto/evp/e_aes. typedef struct { union { -@@ -3869,7 +3884,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT +@@ -3869,7 +3887,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT return rv ? (int)rv : -1; } From f1c4ba61a3c49079c62cb3cdfbac660d46012b6f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 3 Oct 2019 17:43:23 +0200 Subject: [PATCH 5/8] Multiple fixes re-enable the stitched AES-CBC-SHA implementations make AES-GCM work in FIPS mode again enable TLS-1.2 AES-CCM ciphers in FIPS mode fix openssl speed errors in FIPS mode --- openssl-1.1.1-aes-asm.patch | 58 ++++++++++++++++++ openssl-1.1.1-fips.patch | 118 +++++++++++++++++++++++++++++++++--- openssl.spec | 10 ++- 3 files changed, 178 insertions(+), 8 deletions(-) create mode 100644 openssl-1.1.1-aes-asm.patch diff --git a/openssl-1.1.1-aes-asm.patch b/openssl-1.1.1-aes-asm.patch new file mode 100644 index 0000000..65b8213 --- /dev/null +++ b/openssl-1.1.1-aes-asm.patch @@ -0,0 +1,58 @@ +commit 61cc715240d2d3f9511ca88043a3e9797c11482f +Author: Richard Levitte +Date: Thu Oct 3 08:28:31 2019 +0200 + + Define AESNI_ASM if AESNI assembler is included, and use it + + Because we have cases where basic assembler support isn't present, but + AESNI asssembler support is, we need a separate macro that indicates + that, and use it. + + Reviewed-by: Tomas Mraz + Reviewed-by: Paul Dale + (Merged from https://github.com/openssl/openssl/pull/10080) + +diff --git a/Configure b/Configure +index 811bee81f5..f498ac2f81 100755 +--- a/Configure ++++ b/Configure +@@ -1376,6 +1376,7 @@ unless ($disabled{asm}) { + } + if ($target{aes_asm_src}) { + push @{$config{lib_defines}}, "AES_ASM" if ($target{aes_asm_src} =~ m/\baes-/);; ++ push @{$config{lib_defines}}, "AESNI_ASM" if ($target{aes_asm_src} =~ m/\baesni-/);; + # aes-ctr.fake is not a real file, only indication that assembler + # module implements AES_ctr32_encrypt... + push @{$config{lib_defines}}, "AES_CTR_ASM" if ($target{aes_asm_src} =~ s/\s*aes-ctr\.fake//); +diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c +index c9f5969162..27c36b46e7 100644 +--- a/crypto/evp/e_aes_cbc_hmac_sha1.c ++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c +@@ -33,7 +33,7 @@ typedef struct { + + #define NO_PAYLOAD_LENGTH ((size_t)-1) + +-#if defined(AES_ASM) && ( \ ++#if defined(AESNI_ASM) && ( \ + defined(__x86_64) || defined(__x86_64__) || \ + defined(_M_AMD64) || defined(_M_X64) ) + +diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c +index d5178313ae..cc622b6faa 100644 +--- a/crypto/evp/e_aes_cbc_hmac_sha256.c ++++ b/crypto/evp/e_aes_cbc_hmac_sha256.c +@@ -34,7 +34,7 @@ typedef struct { + + # define NO_PAYLOAD_LENGTH ((size_t)-1) + +-#if defined(AES_ASM) && ( \ ++#if defined(AESNI_ASM) && ( \ + defined(__x86_64) || defined(__x86_64__) || \ + defined(_M_AMD64) || defined(_M_X64) ) + +@@ -947,4 +947,4 @@ const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha256(void) + { + return NULL; + } +-#endif ++#endif /* AESNI_ASM */ diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index fd6633d..9063069 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -11,8 +11,8 @@ diff -up openssl-1.1.1d/apps/pkcs12.c.fips openssl-1.1.1d/apps/pkcs12.c int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; # endif diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c ---- openssl-1.1.1d/apps/speed.c.fips 2019-09-13 15:13:11.008525884 +0200 -+++ openssl-1.1.1d/apps/speed.c 2019-09-13 15:13:11.022525640 +0200 +--- openssl-1.1.1d/apps/speed.c.fips 2019-10-03 16:51:22.019915908 +0200 ++++ openssl-1.1.1d/apps/speed.c 2019-10-03 17:40:09.909994582 +0200 @@ -1595,7 +1595,8 @@ int speed_main(int argc, char **argv) continue; if (strcmp(*argv, "rsa") == 0) { @@ -60,7 +60,7 @@ diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c eddsa_doit[i] = 2; continue; } -@@ -1737,23 +1742,30 @@ int speed_main(int argc, char **argv) +@@ -1737,23 +1742,31 @@ int speed_main(int argc, char **argv) /* No parameters; turn on everything. */ if ((argc == 0) && !doit[D_EVP]) { for (i = 0; i < ALGOR_NUM; i++) @@ -87,16 +87,18 @@ diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++) ecdsa_doit[loop] = 1; for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) - ecdh_doit[loop] = 1; +- ecdh_doit[loop] = 1; - for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) - eddsa_doit[loop] = 1; ++ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448)) ++ ecdh_doit[loop] = 1; + if (!FIPS_mode()) + for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) + eddsa_doit[loop] = 1; #endif } for (i = 0; i < ALGOR_NUM; i++) -@@ -1801,30 +1813,46 @@ int speed_main(int argc, char **argv) +@@ -1801,30 +1814,46 @@ int speed_main(int argc, char **argv) AES_set_encrypt_key(key24, 192, &aes_ks2); AES_set_encrypt_key(key32, 256, &aes_ks3); #ifndef OPENSSL_NO_CAMELLIA @@ -153,7 +155,7 @@ diff -up openssl-1.1.1d/apps/speed.c.fips openssl-1.1.1d/apps/speed.c #endif #ifndef SIGALRM # ifndef OPENSSL_NO_DES -@@ -2122,6 +2150,7 @@ int speed_main(int argc, char **argv) +@@ -2122,6 +2151,7 @@ int speed_main(int argc, char **argv) for (i = 0; i < loopargs_len; i++) { loopargs[i].hctx = HMAC_CTX_new(); @@ -461,7 +463,7 @@ diff -up openssl-1.1.1d/crypto/dsa/dsa_gen.c.fips openssl-1.1.1d/crypto/dsa/dsa_ + goto err; + } + -+ if (FIPS_mode() && (L != 1024 || N != 160) && ++ if (FIPS_mode() && + (L != 2048 || N != 224) && (L != 2048 || N != 256) && + (L != 3072 || N != 256)) { + DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID); @@ -11368,6 +11370,108 @@ diff -up openssl-1.1.1d/include/openssl/rsaerr.h.fips openssl-1.1.1d/include/ope # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 # define RSA_R_VALUE_MISSING 147 # define RSA_R_WRONG_SIGNATURE_LENGTH 119 +diff -up openssl-1.1.1d/ssl/s3_lib.c.fips openssl-1.1.1d/ssl/s3_lib.c +--- openssl-1.1.1d/ssl/s3_lib.c.fips 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/ssl/s3_lib.c 2019-10-03 16:53:51.140362311 +0200 +@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = { + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, +- SSL_HIGH, ++ SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, +@@ -58,7 +58,7 @@ static SSL_CIPHER tls13_ciphers[] = { + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, +- SSL_HIGH, ++ SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA384, + 256, + 256, +@@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = { + SSL_AEAD, + TLS1_3_VERSION, TLS1_3_VERSION, + 0, 0, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256, + 128, + 128, +@@ -634,7 +634,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -650,7 +650,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, +@@ -666,7 +666,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -682,7 +682,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, +@@ -794,7 +794,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -810,7 +810,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, +@@ -890,7 +890,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 128, + 128, +@@ -906,7 +906,7 @@ static SSL_CIPHER ssl3_ciphers[] = { + SSL_AEAD, + TLS1_2_VERSION, TLS1_2_VERSION, + DTLS1_2_VERSION, DTLS1_2_VERSION, +- SSL_NOT_DEFAULT | SSL_HIGH, ++ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, + SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, + 256, + 256, diff -up openssl-1.1.1d/ssl/ssl_ciph.c.fips openssl-1.1.1d/ssl/ssl_ciph.c --- openssl-1.1.1d/ssl/ssl_ciph.c.fips 2019-09-13 15:13:11.019525692 +0200 +++ openssl-1.1.1d/ssl/ssl_ciph.c 2019-09-13 15:13:11.068524836 +0200 diff --git a/openssl.spec b/openssl.spec index 2f6fdfc..859f4ea 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1d -Release: 1%{?dist} +Release: 2%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -67,6 +67,7 @@ Patch51: openssl-1.1.1-upstream-sync.patch Patch52: openssl-1.1.1-s390x-update.patch Patch53: openssl-1.1.1-fips-crng-test.patch Patch54: openssl-1.1.1-regression-fixes.patch +Patch55: openssl-1.1.1-aes-asm.patch License: OpenSSL URL: http://www.openssl.org/ @@ -168,6 +169,7 @@ cp %{SOURCE13} test/ %patch52 -p1 -b .s390x-update %patch53 -p1 -b .crng-test %patch54 -p1 -b .regression +%patch55 -p1 -b .aes-asm %build @@ -454,6 +456,12 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Thu Oct 3 2019 Tomáš Mráz 1.1.1d-2 +- re-enable the stitched AES-CBC-SHA implementations +- make AES-GCM work in FIPS mode again +- enable TLS-1.2 AES-CCM ciphers in FIPS mode +- fix openssl speed errors in FIPS mode + * Fri Sep 13 2019 Tomáš Mráz 1.1.1d-1 - update to the 1.1.1d release From dc9d5caf5e42ae56d849ac6e586bf4f67c444cc0 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 12 Nov 2019 16:38:11 +0100 Subject: [PATCH 6/8] KBKDF for Kerberos 5 --- openssl-1.1.1-krb5-kdf.patch | 1254 ++++++++++++++++++++++++++++++++++ 1 file changed, 1254 insertions(+) create mode 100644 openssl-1.1.1-krb5-kdf.patch diff --git a/openssl-1.1.1-krb5-kdf.patch b/openssl-1.1.1-krb5-kdf.patch new file mode 100644 index 0000000..5bf33f6 --- /dev/null +++ b/openssl-1.1.1-krb5-kdf.patch @@ -0,0 +1,1254 @@ +diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/err/openssl.txt +--- openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 ++++ openssl-1.1.1d/crypto/err/openssl.txt 2019-11-12 13:30:36.283748577 +0100 +@@ -821,6 +821,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g + EVP_F_SCRYPT_ALG:228:scrypt_alg + EVP_F_UPDATE:173:update + KDF_F_HKDF_EXTRACT:112:HKDF_Extract ++KDF_F_KBKDF_CTRL:134:kbkdf_ctrl ++KDF_F_KBKDF_CTRL_STR:135:kbkdf_ctrl_str ++KDF_F_KBKDF_DERIVE:136:kbkdf_derive ++KDF_F_KBKDF_NEW:137:kbkdf_new ++KDF_F_KDF_CIPHER2CTRL:138:kdf_cipher2ctrl + KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive + KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new + KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size +@@ -2326,6 +2331,8 @@ EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mod + EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length + EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys + KDF_R_INVALID_DIGEST:100:invalid digest ++KDF_R_INVALID_SEED_LENGTH:116:invalid seed length ++KDF_R_MISSING_CIPHER:117:missing cipher + KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count + KDF_R_MISSING_KEY:104:missing key + KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest +diff -up openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1d/crypto/evp/kdf_lib.c +--- openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 ++++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-11-12 13:44:04.435282854 +0100 +@@ -31,6 +31,7 @@ static const EVP_KDF_METHOD *standard_me + &tls1_prf_kdf_meth, + &hkdf_kdf_meth, + &sshkdf_kdf_meth, ++ &kb_kdf_meth, + }; + + DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, +diff -up openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf openssl-1.1.1d/crypto/include/internal/evp_int.h +--- openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 ++++ openssl-1.1.1d/crypto/include/internal/evp_int.h 2019-11-12 13:30:36.283748577 +0100 +@@ -130,6 +130,7 @@ extern const EVP_KDF_METHOD scrypt_kdf_m + extern const EVP_KDF_METHOD tls1_prf_kdf_meth; + extern const EVP_KDF_METHOD hkdf_kdf_meth; + extern const EVP_KDF_METHOD sshkdf_kdf_meth; ++extern const EVP_KDF_METHOD kb_kdf_meth; + + struct evp_md_st { + int type; +diff -up openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf openssl-1.1.1d/crypto/kdf/build.info +--- openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 ++++ openssl-1.1.1d/crypto/kdf/build.info 2019-11-12 13:30:36.284748559 +0100 +@@ -1,3 +1,3 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ +- tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c ++ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c +diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kbkdf.c +--- openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-12 13:30:36.284748559 +0100 ++++ openssl-1.1.1d/crypto/kdf/kbkdf.c 2019-11-12 16:09:32.828238926 +0100 +@@ -0,0 +1,530 @@ ++/* ++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2019 Red Hat, Inc. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/* ++ * This implements https://csrc.nist.gov/publications/detail/sp/800-108/final ++ * section 5.1 ("counter mode") and section 5.2 ("feedback mode") in both HMAC ++ * and CMAC. That document does not name the KDFs it defines; the name is ++ * derived from ++ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Key-Derivation ++ * ++ * Note that section 5.3 ("double-pipeline mode") is not implemented, though ++ * it would be possible to do so in the future. ++ * ++ * These versions all assume the counter is used. It would be relatively ++ * straightforward to expose a configuration handle should the need arise. ++ * ++ * Variable names attempt to match those of SP800-108. ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include "internal/cryptlib.h" ++#include "internal/evp_int.h" ++#include "kdf_local.h" ++ ++#include "e_os.h" ++ ++#define MIN(a, b) ((a) < (b)) ? (a) : (b) ++ ++typedef struct { ++ int mac_type; ++ union { ++ HMAC_CTX *hmac; ++ CMAC_CTX *cmac; ++ } m; ++} MAC_CTX; ++ ++/* Our context structure. */ ++struct evp_kdf_impl_st { ++ int mode; ++ ++ MAC_CTX *ctx_init; ++ ++ const EVP_CIPHER *cipher; ++ const EVP_MD *md; ++ ++ /* Names are lowercased versions of those found in SP800-108. */ ++ unsigned char *ki; ++ size_t ki_len; ++ unsigned char *label; ++ size_t label_len; ++ unsigned char *context; ++ size_t context_len; ++ unsigned char *iv; ++ size_t iv_len; ++}; ++ ++static MAC_CTX *EVP_MAC_CTX_new(int mac_type) ++{ ++ MAC_CTX *ctx; ++ ++ ctx = OPENSSL_zalloc(sizeof(*ctx)); ++ if (ctx == NULL) ++ return NULL; ++ ++ ctx->mac_type = mac_type; ++ if (mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ if ((ctx->m.hmac = HMAC_CTX_new()) == NULL) ++ goto err; ++ } else { ++ if ((ctx->m.cmac = CMAC_CTX_new()) == NULL) ++ goto err; ++ } ++ return ctx; ++ ++err: ++ OPENSSL_free(ctx); ++ return NULL; ++} ++ ++static void EVP_MAC_CTX_free(MAC_CTX *ctx) ++{ ++ if (ctx == NULL) ++ return; ++ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) ++ HMAC_CTX_free(ctx->m.hmac); ++ else ++ CMAC_CTX_free(ctx->m.cmac); ++} ++ ++static MAC_CTX *EVP_MAC_CTX_dup(MAC_CTX *sctx) ++{ ++ MAC_CTX *ctx; ++ ++ ctx = OPENSSL_zalloc(sizeof(*sctx)); ++ if (ctx == NULL) ++ return NULL; ++ ++ ctx->mac_type = sctx->mac_type; ++ if (sctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ if ((ctx->m.hmac = HMAC_CTX_new()) == NULL ++ || HMAC_CTX_copy(ctx->m.hmac, sctx->m.hmac) <= 0) ++ goto err; ++ } else { ++ if ((ctx->m.cmac = CMAC_CTX_new()) == NULL ++ || CMAC_CTX_copy(ctx->m.cmac, sctx->m.cmac) <= 0) ++ goto err; ++ } ++ return ctx; ++ ++err: ++ EVP_MAC_CTX_free(ctx); ++ return NULL; ++} ++ ++static size_t EVP_MAC_size(MAC_CTX *ctx) ++{ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ const EVP_MD *md; ++ ++ if (ctx->m.hmac == NULL) ++ return 0; ++ if ((md = HMAC_CTX_get_md(ctx->m.hmac)) == NULL) ++ return 0; ++ return (size_t)EVP_MD_size(md); ++ } else { ++ const EVP_CIPHER_CTX *cctx; ++ ++ if (ctx->m.cmac == NULL) ++ return 0; ++ if ((cctx = CMAC_CTX_get0_cipher_ctx(ctx->m.cmac)) == NULL) ++ return 0; ++ return EVP_CIPHER_CTX_block_size(cctx); ++ } ++} ++ ++static int EVP_MAC_update(MAC_CTX *ctx, const unsigned char *data, ++ size_t datalen) ++{ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) ++ return HMAC_Update(ctx->m.hmac, data, datalen); ++ else ++ return CMAC_Update(ctx->m.cmac, data, datalen); ++} ++ ++static int EVP_MAC_final(MAC_CTX *ctx, unsigned char *out, ++ size_t *outl, size_t outsize) ++{ ++ if (outsize != EVP_MAC_size(ctx)) ++ /* we do not cope with anything else */ ++ return 0; ++ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ unsigned int intsize = (unsigned int)outsize; ++ int ret; ++ ++ ret = HMAC_Final(ctx->m.hmac, out, &intsize); ++ if (outl != NULL) ++ *outl = intsize; ++ return ret; ++ } else { ++ size_t size = outsize; ++ int ret; ++ ++ ret = CMAC_Final(ctx->m.cmac, out, &size); ++ if (outl != NULL) ++ *outl = size; ++ return ret; ++ } ++} ++ ++static int evp_mac_init(MAC_CTX *ctx, const EVP_MD *md, ++ const EVP_CIPHER *cipher, unsigned char *key, size_t keylen) ++{ ++ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { ++ if (md == NULL) ++ return 0; ++ return HMAC_Init_ex(ctx->m.hmac, key, (int)keylen, md, NULL); ++ } else { ++ if (cipher == NULL) ++ return 0; ++ return CMAC_Init(ctx->m.cmac, key, keylen, cipher, NULL); ++ } ++} ++ ++static void kbkdf_reset(EVP_KDF_IMPL *ctx); ++ ++/* Not all platforms have htobe32(). */ ++static uint32_t be32(uint32_t host) ++{ ++ uint32_t big = 0; ++ const union { ++ long one; ++ char little; ++ } is_endian = { 1 }; ++ ++ if (!is_endian.little) ++ return host; ++ ++ big |= (host & 0xff000000) >> 24; ++ big |= (host & 0x00ff0000) >> 8; ++ big |= (host & 0x0000ff00) << 8; ++ big |= (host & 0x000000ff) << 24; ++ return big; ++} ++ ++static EVP_KDF_IMPL *kbkdf_new(void) ++{ ++ EVP_KDF_IMPL *ctx; ++ ++ ctx = OPENSSL_zalloc(sizeof(*ctx)); ++ if (ctx == NULL) { ++ KDFerr(KDF_F_KBKDF_NEW, ERR_R_MALLOC_FAILURE); ++ return NULL; ++ } ++ ++ return ctx; ++} ++ ++static void kbkdf_free(EVP_KDF_IMPL *ctx) ++{ ++ kbkdf_reset(ctx); ++ OPENSSL_free(ctx); ++} ++ ++static void kbkdf_reset(EVP_KDF_IMPL *ctx) ++{ ++ EVP_MAC_CTX_free(ctx->ctx_init); ++ OPENSSL_clear_free(ctx->context, ctx->context_len); ++ OPENSSL_clear_free(ctx->label, ctx->label_len); ++ OPENSSL_clear_free(ctx->ki, ctx->ki_len); ++ OPENSSL_clear_free(ctx->iv, ctx->iv_len); ++ memset(ctx, 0, sizeof(*ctx)); ++} ++ ++/* SP800-108 section 5.1 or section 5.2 depending on mode. */ ++static int derive(MAC_CTX *ctx_init, int mode, unsigned char *iv, ++ size_t iv_len, unsigned char *label, size_t label_len, ++ unsigned char *context, size_t context_len, ++ unsigned char *k_i, size_t h, uint32_t l, unsigned char *ko, ++ size_t ko_len) ++{ ++ int ret = 0; ++ MAC_CTX *ctx = NULL; ++ size_t written = 0, to_write, k_i_len = iv_len; ++ const unsigned char zero = 0; ++ uint32_t counter, i; ++ ++ /* Setup K(0) for feedback mode. */ ++ if (iv_len > 0) ++ memcpy(k_i, iv, iv_len); ++ ++ for (counter = 1; written < ko_len; counter++) { ++ i = be32(counter); ++ ++ ctx = EVP_MAC_CTX_dup(ctx_init); ++ if (ctx == NULL) ++ goto done; ++ ++ /* Perform feedback, if appropriate. */ ++ if (mode == EVP_KDF_KB_MODE_FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len)) ++ goto done; ++ ++ if (!EVP_MAC_update(ctx, (unsigned char *)&i, 4) ++ || !EVP_MAC_update(ctx, label, label_len) ++ || !EVP_MAC_update(ctx, &zero, 1) ++ || !EVP_MAC_update(ctx, context, context_len) ++ || !EVP_MAC_update(ctx, (unsigned char *)&l, 4) ++ || !EVP_MAC_final(ctx, k_i, NULL, h)) ++ goto done; ++ ++ to_write = ko_len - written; ++ memcpy(ko + written, k_i, MIN(to_write, h)); ++ written += h; ++ ++ k_i_len = h; ++ EVP_MAC_CTX_free(ctx); ++ ctx = NULL; ++ } ++ ++ ret = 1; ++done: ++ EVP_MAC_CTX_free(ctx); ++ return ret; ++} ++ ++static int kbkdf_derive(EVP_KDF_IMPL *ctx, unsigned char *key, size_t keylen) ++{ ++ int ret = 0; ++ unsigned char *k_i = NULL; ++ uint32_t l = be32(keylen * 8); ++ size_t h = 0; ++ ++ /* label, context, and iv are permitted to be empty. Check everything ++ * else. */ ++ if (ctx->ctx_init == NULL ++ || evp_mac_init(ctx->ctx_init, ctx->md, ctx->cipher, ctx->ki, ctx->ki_len) <= 0) { ++ if (ctx->ki_len == 0 || ctx->ki == NULL) { ++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_KEY); ++ return 0; ++ } ++ /* Could either be missing MAC or missing message digest or missing ++ * cipher - arbitrarily, I pick this one. */ ++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_PARAMETER); ++ return 0; ++ } ++ ++ h = EVP_MAC_size(ctx->ctx_init); ++ if (h == 0) ++ goto done; ++ if (ctx->iv_len != 0 && ctx->iv_len != h) { ++ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_INVALID_SEED_LENGTH); ++ goto done; ++ } ++ ++ k_i = OPENSSL_zalloc(h); ++ if (k_i == NULL) ++ goto done; ++ ++ ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label, ++ ctx->label_len, ctx->context, ctx->context_len, k_i, h, l, ++ key, keylen); ++done: ++ if (ret != 1) ++ OPENSSL_cleanse(key, keylen); ++ OPENSSL_clear_free(k_i, h); ++ return ret; ++} ++ ++static size_t kbkdf_size(EVP_KDF_IMPL *ctx) ++{ ++ return UINT32_MAX/8; ++} ++ ++static int kbkdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len, ++ va_list args) ++{ ++ const unsigned char *p; ++ size_t len; ++ ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ OPENSSL_clear_free(*dst, *dst_len); ++ *dst = OPENSSL_memdup(p, len); ++ if (*dst == NULL) ++ return 0; ++ ++ *dst_len = len; ++ return 1; ++} ++ ++static int kbkdf_ctrl(EVP_KDF_IMPL *ctx, int cmd, va_list args) ++{ ++ int t; ++ ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_MD: ++ ctx->md = va_arg(args, const EVP_MD *); ++ if (ctx->md == NULL) ++ return 0; ++ ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_CIPHER: ++ ctx->cipher = va_arg(args, const EVP_CIPHER *); ++ if (ctx->cipher == NULL) ++ return 0; ++ ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_KEY: ++ return kbkdf_parse_buffer_arg(&ctx->ki, ++ &ctx->ki_len, args); ++ ++ case EVP_KDF_CTRL_SET_SALT: ++ return kbkdf_parse_buffer_arg(&ctx->label, ++ &ctx->label_len, args); ++ ++ case EVP_KDF_CTRL_SET_KB_INFO: ++ return kbkdf_parse_buffer_arg(&ctx->context, ++ &ctx->context_len, args); ++ ++ case EVP_KDF_CTRL_SET_KB_SEED: ++ return kbkdf_parse_buffer_arg(&ctx->iv, ++ &ctx->iv_len, args); ++ ++ case EVP_KDF_CTRL_SET_KB_MODE: ++ t = va_arg(args, int); ++ if (t != EVP_KDF_KB_MODE_COUNTER && t != EVP_KDF_KB_MODE_FEEDBACK ) { ++ KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ctx->mode = t; ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_KB_MAC_TYPE: ++ t = va_arg(args, int); ++ if (t != EVP_KDF_KB_MAC_TYPE_HMAC && t != EVP_KDF_KB_MAC_TYPE_CMAC ) { ++ KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ++ if (ctx->ctx_init != NULL) { ++ EVP_MAC_CTX_free(ctx->ctx_init); ++ } ++ ctx->ctx_init = EVP_MAC_CTX_new(t); ++ if (ctx->ctx_init == NULL) { ++ KDFerr(KDF_F_KBKDF_CTRL, ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ return 1; ++ ++ default: ++ return -2; ++ ++ } ++} ++ ++static int kbkdf_ctrl_str(EVP_KDF_IMPL *ctx, const char *type, ++ const char *value) ++{ ++ if (value == NULL) { ++ KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING); ++ return 0; ++ } ++ ++ if (strcmp(type, "digest") == 0) ++ return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ /* alias, for historical reasons */ ++ if (strcmp(type, "md") == 0) ++ return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ ++ if (strcmp(type, "cipher") == 0) ++ return kdf_cipher2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_CIPHER, value); ++ ++ if (strcmp(type, "key") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "hexkey") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "salt") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_SALT, value); ++ ++ if (strcmp(type, "hexsalt") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_SALT, value); ++ ++ if (strcmp(type, "info") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_INFO, value); ++ ++ if (strcmp(type, "hexinfo") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_INFO, value); ++ ++ if (strcmp(type, "seed") == 0) ++ return kdf_str2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_SEED, value); ++ ++ if (strcmp(type, "hexseed") == 0) ++ return kdf_hex2ctrl(ctx, kbkdf_ctrl, ++ EVP_KDF_CTRL_SET_KB_SEED, value); ++ ++ if (strcmp(type, "mode") == 0) { ++ int mode; ++ ++ if (strcasecmp(value, "counter") == 0) { ++ mode = EVP_KDF_KB_MODE_COUNTER; ++ } else if (strcasecmp(value, "feedback") == 0) { ++ mode = EVP_KDF_KB_MODE_FEEDBACK; ++ } else { ++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ++ return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MODE, ++ mode); ++ } ++ ++ if (strcmp(type, "mac_type") == 0) { ++ int mac_type; ++ ++ if (strcasecmp(value, "hmac") == 0) { ++ mac_type = EVP_KDF_KB_MAC_TYPE_HMAC; ++ } else if (strcasecmp(value, "cmac") == 0) { ++ mac_type = EVP_KDF_KB_MAC_TYPE_CMAC; ++ } else { ++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR); ++ return 0; ++ } ++ ++ return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, ++ mac_type); ++ } ++ ++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); ++ return -2; ++} ++ ++ ++const EVP_KDF_METHOD kb_kdf_meth = { ++ EVP_KDF_KB, ++ kbkdf_new, ++ kbkdf_free, ++ kbkdf_reset, ++ kbkdf_ctrl, ++ kbkdf_ctrl_str, ++ kbkdf_size, ++ kbkdf_derive, ++}; ++ +diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_err.c +--- openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-12 13:30:36.262748955 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-11-12 13:30:36.284748559 +0100 +@@ -15,6 +15,11 @@ + + static const ERR_STRING_DATA KDF_str_functs[] = { + {ERR_PACK(ERR_LIB_KDF, KDF_F_HKDF_EXTRACT, 0), "HKDF_Extract"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL, 0), "kbkdf_ctrl"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL_STR, 0), "kbkdf_ctrl_str"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_DERIVE, 0), "kbkdf_derive"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_NEW, 0), "kbkdf_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_CIPHER2CTRL, 0), "kdf_cipher2ctrl"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"}, +@@ -64,7 +69,9 @@ static const ERR_STRING_DATA KDF_str_fun + }; + + static const ERR_STRING_DATA KDF_str_reasons[] = { ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_CIPHER), "invalid cipher"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_DIGEST), "invalid digest"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_SEED_LENGTH), "invalid seed length"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_ITERATION_COUNT), + "missing iteration count"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"}, +diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_local.h +--- openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-12 13:30:36.253749117 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-11-12 13:30:36.284748559 +0100 +@@ -19,4 +19,6 @@ int kdf_hex2ctrl(EVP_KDF_IMPL *impl, + int kdf_md2ctrl(EVP_KDF_IMPL *impl, + int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), + int cmd, const char *md_name); +- ++int kdf_cipher2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *cipher_name); +diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_util.c +--- openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-12 13:30:36.253749117 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-11-12 13:30:36.284748559 +0100 +@@ -71,3 +71,16 @@ int kdf_md2ctrl(EVP_KDF_IMPL *impl, + return call_ctrl(ctrl, impl, cmd, md); + } + ++/* Pass a cipher to a ctrl */ ++int kdf_cipher2ctrl(EVP_KDF_IMPL *impl, ++ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), ++ int cmd, const char *cipher_name) ++{ ++ const EVP_CIPHER *cipher; ++ ++ if (cipher_name == NULL || (cipher = EVP_get_cipherbyname(cipher_name)) == NULL) { ++ KDFerr(KDF_F_KDF_CIPHER2CTRL, KDF_R_INVALID_CIPHER); ++ return 0; ++ } ++ return call_ctrl(ctrl, impl, cmd, cipher); ++} +diff -up openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1d/crypto/objects/obj_dat.h +--- openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 ++++ openssl-1.1.1d/crypto/objects/obj_dat.h 2019-11-12 13:30:36.285748541 +0100 +@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ + }; + +-#define NUM_NID 1196 ++#define NUM_NID 1197 + static const ASN1_OBJECT nid_objs[NUM_NID] = { + {"UNDEF", "undefined", NID_undef}, + {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, +@@ -2276,9 +2276,10 @@ static const ASN1_OBJECT nid_objs[NUM_NI + {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, + {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, + {"SSHKDF", "sshkdf", NID_sshkdf}, ++ {"KBKDF", "kbkdf", NID_kbkdf}, + }; + +-#define NUM_SN 1187 ++#define NUM_SN 1188 + static const unsigned int sn_objs[NUM_SN] = { + 364, /* "AD_DVCS" */ + 419, /* "AES-128-CBC" */ +@@ -2442,6 +2443,7 @@ static const unsigned int sn_objs[NUM_SN + 183, /* "ISO-US" */ + 645, /* "ITU-T" */ + 646, /* "JOINT-ISO-ITU-T" */ ++ 1196, /* "KBKDF" */ + 773, /* "KISA" */ + 1063, /* "KxANY" */ + 1039, /* "KxDHE" */ +@@ -3469,7 +3471,7 @@ static const unsigned int sn_objs[NUM_SN + 1093, /* "x509ExtAdmission" */ + }; + +-#define NUM_LN 1187 ++#define NUM_LN 1188 + static const unsigned int ln_objs[NUM_LN] = { + 363, /* "AD Time Stamping" */ + 405, /* "ANSI X9.62" */ +@@ -4262,6 +4264,7 @@ static const unsigned int ln_objs[NUM_LN + 957, /* "jurisdictionCountryName" */ + 955, /* "jurisdictionLocalityName" */ + 956, /* "jurisdictionStateOrProvinceName" */ ++ 1196, /* "kbkdf" */ + 150, /* "keyBag" */ + 773, /* "kisa" */ + 1063, /* "kx-any" */ +diff -up openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1d/crypto/objects/objects.txt +--- openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 ++++ openssl-1.1.1d/crypto/objects/objects.txt 2019-11-12 13:30:36.286748523 +0100 +@@ -1603,6 +1603,9 @@ secg-scheme 14 3 : dhSinglePass-cofactor + # NID for SSHKDF + : SSHKDF : sshkdf + ++# NID for KBKDF ++ : KBKDF : kbkdf ++ + # RFC 4556 + 1 3 6 1 5 2 3 : id-pkinit + id-pkinit 4 : pkInitClientAuth : PKINIT Client Auth +diff -up openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1d/crypto/objects/obj_mac.num +--- openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 ++++ openssl-1.1.1d/crypto/objects/obj_mac.num 2019-11-12 13:30:36.286748523 +0100 +@@ -1193,3 +1193,4 @@ magma_mac 1192 + hmacWithSHA512_224 1193 + hmacWithSHA512_256 1194 + sshkdf 1195 ++kbkdf 1196 +diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod +--- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-12 13:30:36.254749099 +0100 ++++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-11-12 13:30:36.286748523 +0100 +@@ -140,7 +140,14 @@ The value string is expected to be a dec + This control expects one argument: C + + For MAC implementations that use a message digest as an underlying computation +-algorithm, this control set what the digest algorithm should be. ++algorithm, this control sets what the digest algorithm should be. ++ ++=item B ++ ++This control expects one argument: C ++ ++For MAC implementations that use a cipher as an underlying computation ++algorithm, this control sets what the cipher algorithm should be. + + EVP_KDF_ctrl_str() type string: "md" + +diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod +--- openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-12 13:30:36.286748523 +0100 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod 2019-11-12 13:30:36.286748523 +0100 +@@ -0,0 +1,177 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_KB - The Key-Based EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++The EVP_KDF_KB algorithm implements the Key-Based key derivation function ++(KBKDF). KBKDF derives a key from repeated application of a keyed MAC to an ++input secret (and other optional values). ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it can be used with the ++EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++This control expects one argument: C ++ ++Sets the mode for the KBKDF operation. There are two supported modes: ++ ++=over 4 ++ ++=item B ++ ++The counter mode of KBKDF should be used. This is the default. ++ ++=item B ++ ++The feedback mode of KBKDF should be used. ++ ++=back ++ ++=item B ++ ++This control expects one argument: C ++ ++Sets the mac type for the KBKDF operation. There are two supported mac types: ++ ++=over 4 ++ ++=item B ++ ++The HMAC with the digest set by B should be used as the mac. ++ ++=item B ++ ++The CMAC with the cipher set by B should be used as the mac. ++ ++=back ++ ++=item B ++ ++=item B ++ ++=item B ++ ++=item B ++ ++These controls work as described in L. ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++It is used only in the feedback mode and the length must be the same ++as the block length of the cipher in CMAC or the size of the digest in HMAC. ++ ++=back ++ ++The controls B, B, ++B, and B ++correspond to KI, Label, Context, and IV (respectively) in SP800-108. ++As in that document, salt, info, and seed are optional and may be ++omitted. ++ ++Depending on whether mac is CMAC or HMAC, either digest or cipher is ++required (respectively) and the other is unused. ++ ++=head1 NOTES ++ ++A context for KBKDF can be obtained by calling: ++ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); ++ ++The output length of an KBKDF is specified via the C ++parameter to the L function. ++ ++Note that currently OpenSSL only implements counter and feedback modes. Other ++variants may be supported in the future. ++ ++=head1 EXAMPLES ++ ++This example derives 10 bytes using COUNTER-HMAC-SHA256, with KI "secret", ++Label "label", and Context "context". ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); ++ ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context")); ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ error("EVP_KDF_derive"); ++ ++ EVP_KDF_CTX_free(kctx); ++ ++This example derives 10 bytes using FEEDBACK-CMAC-AES256, with KI "secret", ++Label "label", Context "context", and IV "sixteen bytes iv". ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ unsigned char *iv = "sixteen bytes iv"; ++ ++ kdf = EVP_KDF_fetch(NULL, "KBKDF", NULL); ++ kctx = EVP_KDF_CTX_new(kdf); ++ EVP_KDF_free(kdf); ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); ++ ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_256_ecb()); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context")); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, strlen(iv)); ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ error("EVP_KDF_derive"); ++ ++ EVP_KDF_CTX_free(kctx); ++ ++=head1 CONFORMING TO ++ ++NIST SP800-108, IETF RFC 6803, IETF RFC 8009. ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 HISTORY ++ ++This functionality was added to OpenSSL 3.0. ++ ++=head1 COPYRIGHT ++ ++Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2019 Red Hat, Inc. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include/openssl/kdferr.h +--- openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf 2019-11-12 13:30:36.264748919 +0100 ++++ openssl-1.1.1d/include/openssl/kdferr.h 2019-11-12 13:30:36.286748523 +0100 +@@ -24,6 +24,11 @@ int ERR_load_KDF_strings(void); + * KDF function codes. + */ + # define KDF_F_HKDF_EXTRACT 112 ++# define KDF_F_KBKDF_CTRL 134 ++# define KDF_F_KBKDF_CTRL_STR 135 ++# define KDF_F_KBKDF_DERIVE 136 ++# define KDF_F_KBKDF_NEW 137 ++# define KDF_F_KDF_CIPHER2CTRL 138 + # define KDF_F_KDF_HKDF_DERIVE 113 + # define KDF_F_KDF_HKDF_NEW 114 + # define KDF_F_KDF_HKDF_SIZE 115 +@@ -61,7 +66,9 @@ int ERR_load_KDF_strings(void); + /* + * KDF reason codes. + */ ++# define KDF_R_INVALID_CIPHER 116 + # define KDF_R_INVALID_DIGEST 100 ++# define KDF_R_INVALID_SEED_LENGTH 117 + # define KDF_R_MISSING_ITERATION_COUNT 109 + # define KDF_R_MISSING_KEY 104 + # define KDF_R_MISSING_MESSAGE_DIGEST 105 +diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/openssl/kdf.h +--- openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 ++++ openssl-1.1.1d/include/openssl/kdf.h 2019-11-12 13:30:36.287748505 +0100 +@@ -21,6 +21,7 @@ extern "C" { + # define EVP_KDF_TLS1_PRF NID_tls1_prf + # define EVP_KDF_HKDF NID_hkdf + # define EVP_KDF_SSHKDF NID_sshkdf ++# define EVP_KDF_KB NID_kbkdf + + EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id); + void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); +@@ -51,6 +52,11 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns + # define EVP_KDF_CTRL_SET_SSHKDF_XCGHASH 0x10 /* unsigned char *, size_t */ + # define EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID 0x11 /* unsigned char *, size_t */ + # define EVP_KDF_CTRL_SET_SSHKDF_TYPE 0x12 /* int */ ++# define EVP_KDF_CTRL_SET_KB_MODE 0x13 /* int */ ++# define EVP_KDF_CTRL_SET_KB_MAC_TYPE 0x14 /* int */ ++# define EVP_KDF_CTRL_SET_CIPHER 0x15 /* EVP_CIPHER * */ ++# define EVP_KDF_CTRL_SET_KB_INFO 0x16 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_KB_SEED 0x17 /* unsigned char *, size_t */ + + # define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0 + # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 +@@ -63,6 +69,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns + #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69 + #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70 + ++#define EVP_KDF_KB_MODE_COUNTER 0 ++#define EVP_KDF_KB_MODE_FEEDBACK 1 ++ ++#define EVP_KDF_KB_MAC_TYPE_HMAC 0 ++#define EVP_KDF_KB_MAC_TYPE_CMAC 1 ++ + /**** The legacy PKEY-based KDF API follows. ****/ + + # define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL) +diff -up openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1d/include/openssl/obj_mac.h +--- openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf 2019-11-12 13:30:36.264748919 +0100 ++++ openssl-1.1.1d/include/openssl/obj_mac.h 2019-11-12 13:30:36.287748505 +0100 +@@ -4974,6 +4974,10 @@ + #define LN_sshkdf "sshkdf" + #define NID_sshkdf 1203 + ++#define SN_kbkdf "KBKDF" ++#define LN_kbkdf "kbkdf" ++#define NID_kbkdf 1204 ++ + #define SN_id_pkinit "id-pkinit" + #define NID_id_pkinit 1031 + #define OBJ_id_pkinit 1L,3L,6L,1L,5L,2L,3L +diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf_test.c +--- openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf 2019-11-12 13:30:36.257749045 +0100 ++++ openssl-1.1.1d/test/evp_kdf_test.c 2019-11-12 16:35:19.265237664 +0100 +@@ -225,8 +225,261 @@ err: + } + #endif + ++/* ++ * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5) ++ * section 10. ++ */ ++static int test_kdf_kbkdf_6803_128(void) ++{ ++ int ret = 0, i; ++ EVP_KDF_CTX *kctx; ++ static unsigned char input_key[] = { ++ 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3, ++ 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B, ++ }; ++ static unsigned char constants[][5] = { ++ { 0x00, 0x00, 0x00, 0x02, 0x99 }, ++ { 0x00, 0x00, 0x00, 0x02, 0xaa }, ++ { 0x00, 0x00, 0x00, 0x02, 0x55 }, ++ }; ++ static unsigned char outputs[][16] = { ++ {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0, ++ 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56}, ++ {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17, ++ 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB}, ++ {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C, ++ 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35} ++ }; ++ static unsigned char iv[16] = { 0 }; ++ unsigned char result[16] = { 0 }; ++ ++ for (i = 0; i < 3; i++) { ++ ret = 0; ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MODE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_128_cbc()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_CIPHER"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_SEED"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), outputs[i], ++ sizeof(outputs[i])); ++err: ++ EVP_KDF_CTX_free(kctx); ++ if (ret != 1) ++ return ret; ++ } ++ return ret; ++} ++ ++static int test_kdf_kbkdf_6803_256(void) ++{ ++ int ret = 0, i; ++ EVP_KDF_CTX *kctx; ++ static unsigned char input_key[] = { ++ 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE, ++ 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6, ++ 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F, ++ 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C, ++ }; ++ static unsigned char constants[][5] = { ++ { 0x00, 0x00, 0x00, 0x02, 0x99 }, ++ { 0x00, 0x00, 0x00, 0x02, 0xaa }, ++ { 0x00, 0x00, 0x00, 0x02, 0x55 }, ++ }; ++ static unsigned char outputs[][32] = { ++ {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3, ++ 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22, ++ 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6, ++ 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50, ++ }, ++ {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F, ++ 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60, ++ 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F, ++ 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04, ++ }, ++ {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F, ++ 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB, ++ 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D, ++ 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0, ++ }, ++ }; ++ static unsigned char iv[16] = { 0 }; ++ unsigned char result[32] = { 0 }; ++ ++ for (i = 0; i < 3; i++) { ++ ret = 0; ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MODE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_256_cbc()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_CIPHER"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_SEED"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), outputs[i], ++ sizeof(outputs[i])); ++err: ++ EVP_KDF_CTX_free(kctx); ++ if (ret != 1) ++ return ret; ++ } ++ return ret; ++} ++ ++/* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos ++ * 5) appendix A. */ ++static int test_kdf_kbkdf_8009_prf1(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ char *label = "prf", *prf_input = "test"; ++ static unsigned char input_key[] = { ++ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28, ++ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C, ++ }; ++ static unsigned char output[] = { ++ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE, ++ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86, ++ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B, ++ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95, ++ }; ++ unsigned char result[sizeof(output)] = { 0 }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MD"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_INFO"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), output, ++ sizeof(output)); ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++static int test_kdf_kbkdf_8009_prf2(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ char *label = "prf", *prf_input = "test"; ++ static unsigned char input_key[] = { ++ 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D, ++ 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98, ++ 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0, ++ 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52, ++ }; ++ static unsigned char output[] = { ++ 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6, ++ 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0, ++ 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C, ++ 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D, ++ 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33, ++ 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2, ++ }; ++ unsigned char result[sizeof(output)] = { 0 }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ TEST_error("EVP_KDF_KB"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha384()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MD"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SALT"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KB_INFO"); ++ goto err; ++ } ++ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) ++ && TEST_mem_eq(result, sizeof(result), output, ++ sizeof(output)); ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + int setup_tests(void) + { ++ ADD_TEST(test_kdf_kbkdf_6803_128); ++ ADD_TEST(test_kdf_kbkdf_6803_256); ++ ADD_TEST(test_kdf_kbkdf_8009_prf1); ++ ADD_TEST(test_kdf_kbkdf_8009_prf2); + ADD_TEST(test_kdf_tls1_prf); + ADD_TEST(test_kdf_hkdf); + ADD_TEST(test_kdf_pbkdf2); From 266efa305593358bb168b099264b7279fbec5a66 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 13 Nov 2019 13:43:05 +0100 Subject: [PATCH 7/8] backport of KBKDF and KRB5KDF from master --- openssl-1.1.1-krb5-kdf.patch | 916 ++++++++++++++++++++++++++++++++--- openssl.spec | 7 +- 2 files changed, 858 insertions(+), 65 deletions(-) diff --git a/openssl-1.1.1-krb5-kdf.patch b/openssl-1.1.1-krb5-kdf.patch index 5bf33f6..23d9b47 100644 --- a/openssl-1.1.1-krb5-kdf.patch +++ b/openssl-1.1.1-krb5-kdf.patch @@ -1,6 +1,6 @@ diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/err/openssl.txt ---- openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 -+++ openssl-1.1.1d/crypto/err/openssl.txt 2019-11-12 13:30:36.283748577 +0100 +--- openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf 2019-11-13 12:11:34.705656250 +0100 ++++ openssl-1.1.1d/crypto/err/openssl.txt 2019-11-13 12:11:34.728655841 +0100 @@ -821,6 +821,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g EVP_F_SCRYPT_ALG:228:scrypt_alg EVP_F_UPDATE:173:update @@ -13,49 +13,73 @@ diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/er KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size -@@ -2326,6 +2331,8 @@ EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mod +@@ -840,6 +845,8 @@ KDF_F_KDF_SSHKDF_NEW:133:kdf_sshkdf_new + KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str + KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive + KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new ++KDF_F_KRB5KDF:139:KRB5KDF ++KDF_F_KRB5KDF_DERIVE:140:krb5kdf_derive + KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf + KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str + KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive +@@ -2325,7 +2332,13 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsuppor + EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys ++KDF_R_FAILED_TO_GENERATE_KEY:118:failed to generate key ++KDF_R_INVALID_CIPHER:116:invalid cipher ++KDF_R_INVALID_CONSTANT_LENGTH:119:invalid constant length KDF_R_INVALID_DIGEST:100:invalid digest -+KDF_R_INVALID_SEED_LENGTH:116:invalid seed length -+KDF_R_MISSING_CIPHER:117:missing cipher ++KDF_R_INVALID_SEED_LENGTH:117:invalid seed length ++KDF_R_MISSING_CIPHER:120:missing cipher ++KDF_R_MISSING_CONSTANT:121:missing constant KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count KDF_R_MISSING_KEY:104:missing key KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest +@@ -2340,6 +2353,7 @@ KDF_R_MISSING_XCGHASH:115:missing xcghas + KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type + KDF_R_VALUE_ERROR:108:value error + KDF_R_VALUE_MISSING:102:value missing ++KDF_R_WRONG_FINAL_BLOCK_LENGTH:120:wrong final block length + KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size + OBJ_R_OID_EXISTS:102:oid exists + OBJ_R_UNKNOWN_NID:101:unknown nid diff -up openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1d/crypto/evp/kdf_lib.c ---- openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 -+++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-11-12 13:44:04.435282854 +0100 -@@ -31,6 +31,7 @@ static const EVP_KDF_METHOD *standard_me +--- openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-13 12:11:34.705656250 +0100 ++++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-11-13 12:11:34.729655823 +0100 +@@ -31,6 +31,8 @@ static const EVP_KDF_METHOD *standard_me &tls1_prf_kdf_meth, &hkdf_kdf_meth, &sshkdf_kdf_meth, + &kb_kdf_meth, ++ &krb5kdf_kdf_meth, }; DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, diff -up openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf openssl-1.1.1d/crypto/include/internal/evp_int.h ---- openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 -+++ openssl-1.1.1d/crypto/include/internal/evp_int.h 2019-11-12 13:30:36.283748577 +0100 -@@ -130,6 +130,7 @@ extern const EVP_KDF_METHOD scrypt_kdf_m +--- openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf 2019-11-13 12:11:34.705656250 +0100 ++++ openssl-1.1.1d/crypto/include/internal/evp_int.h 2019-11-13 12:11:34.729655823 +0100 +@@ -130,6 +130,8 @@ extern const EVP_KDF_METHOD scrypt_kdf_m extern const EVP_KDF_METHOD tls1_prf_kdf_meth; extern const EVP_KDF_METHOD hkdf_kdf_meth; extern const EVP_KDF_METHOD sshkdf_kdf_meth; +extern const EVP_KDF_METHOD kb_kdf_meth; ++extern const EVP_KDF_METHOD krb5kdf_kdf_meth; struct evp_md_st { int type; diff -up openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf openssl-1.1.1d/crypto/kdf/build.info ---- openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf 2019-11-12 13:30:36.261748973 +0100 -+++ openssl-1.1.1d/crypto/kdf/build.info 2019-11-12 13:30:36.284748559 +0100 +--- openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf 2019-11-13 12:11:34.705656250 +0100 ++++ openssl-1.1.1d/crypto/kdf/build.info 2019-11-13 12:11:34.729655823 +0100 @@ -1,3 +1,3 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c -+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c ++ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c krb5kdf.c diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kbkdf.c ---- openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-12 13:30:36.284748559 +0100 -+++ openssl-1.1.1d/crypto/kdf/kbkdf.c 2019-11-12 16:09:32.828238926 +0100 -@@ -0,0 +1,530 @@ +--- openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-13 12:11:34.729655823 +0100 ++++ openssl-1.1.1d/crypto/kdf/kbkdf.c 2019-11-13 12:11:34.729655823 +0100 +@@ -0,0 +1,529 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019 Red Hat, Inc. @@ -574,7 +598,6 @@ diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kb + return -2; +} + -+ +const EVP_KDF_METHOD kb_kdf_meth = { + EVP_KDF_KB, + kbkdf_new, @@ -587,8 +610,8 @@ diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kb +}; + diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_err.c ---- openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-12 13:30:36.262748955 +0100 -+++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-11-12 13:30:36.284748559 +0100 +--- openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-13 12:11:34.705656250 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-11-13 12:11:34.730655805 +0100 @@ -15,6 +15,11 @@ static const ERR_STRING_DATA KDF_str_functs[] = { @@ -601,19 +624,42 @@ diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"}, {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"}, {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"}, -@@ -64,7 +69,9 @@ static const ERR_STRING_DATA KDF_str_fun +@@ -41,6 +46,8 @@ static const ERR_STRING_DATA KDF_str_fun + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_DERIVE, 0), + "kdf_tls1_prf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_NEW, 0), "kdf_tls1_prf_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KRB5KDF, 0), "KRB5KDF"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_KRB5KDF_DERIVE, 0), "krb5kdf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PBKDF2_SET_MEMBUF, 0), "pbkdf2_set_membuf"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"}, +@@ -64,7 +71,14 @@ static const ERR_STRING_DATA KDF_str_fun }; static const ERR_STRING_DATA KDF_str_reasons[] = { ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_FAILED_TO_GENERATE_KEY), ++ "failed to generate key"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_CIPHER), "invalid cipher"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_CONSTANT_LENGTH), "invalid constant length"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_DIGEST), "invalid digest"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_SEED_LENGTH), "invalid seed length"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_CIPHER), "missing cipher"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_CONSTANT), "missing constant"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_ITERATION_COUNT), "missing iteration count"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"}, +@@ -82,6 +96,8 @@ static const ERR_STRING_DATA KDF_str_rea + "unknown parameter type"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"}, ++ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_FINAL_BLOCK_LENGTH), ++ "wrong final block length"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_OUTPUT_BUFFER_SIZE), + "wrong output buffer size"}, + {0, NULL} diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_local.h ---- openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-12 13:30:36.253749117 +0100 -+++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-11-12 13:30:36.284748559 +0100 +--- openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-13 12:11:34.697656393 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-11-13 12:11:34.730655805 +0100 @@ -19,4 +19,6 @@ int kdf_hex2ctrl(EVP_KDF_IMPL *impl, int kdf_md2ctrl(EVP_KDF_IMPL *impl, int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), @@ -623,8 +669,8 @@ diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1d/crypto/kd + int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), + int cmd, const char *cipher_name); diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_util.c ---- openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-12 13:30:36.253749117 +0100 -+++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-11-12 13:30:36.284748559 +0100 +--- openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-13 12:11:34.697656393 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-11-13 12:11:34.730655805 +0100 @@ -71,3 +71,16 @@ int kdf_md2ctrl(EVP_KDF_IMPL *impl, return call_ctrl(ctrl, impl, cmd, md); } @@ -642,79 +688,510 @@ diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1d/crypto/kdf + } + return call_ctrl(ctrl, impl, cmd, cipher); +} +diff -up openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/krb5kdf.c +--- openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf 2019-11-13 12:11:34.730655805 +0100 ++++ openssl-1.1.1d/crypto/kdf/krb5kdf.c 2019-11-13 12:25:50.519417362 +0100 +@@ -0,0 +1,417 @@ ++/* ++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include "internal/cryptlib.h" ++#include "internal/evp_int.h" ++#include "kdf_local.h" ++ ++/* KRB5 KDF defined in RFC 3961, Section 5.1 */ ++ ++static int KRB5KDF(const EVP_CIPHER *cipher, ++ const unsigned char *key, size_t key_len, ++ const unsigned char *constant, size_t constant_len, ++ unsigned char *okey, size_t okey_len); ++ ++struct evp_kdf_impl_st { ++ const EVP_CIPHER *cipher; ++ unsigned char *key; ++ size_t key_len; ++ unsigned char *constant; ++ size_t constant_len; ++}; ++ ++static void krb5kdf_reset(EVP_KDF_IMPL *ctx); ++ ++static EVP_KDF_IMPL *krb5kdf_new(void) ++{ ++ EVP_KDF_IMPL *ctx; ++ ++ if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) ++ KDFerr(KDF_F_KBKDF_NEW, ERR_R_MALLOC_FAILURE); ++ return ctx; ++} ++ ++static void krb5kdf_free(EVP_KDF_IMPL *ctx) ++{ ++ krb5kdf_reset(ctx); ++ OPENSSL_free(ctx); ++} ++ ++static void krb5kdf_reset(EVP_KDF_IMPL *ctx) ++{ ++ OPENSSL_clear_free(ctx->key, ctx->key_len); ++ OPENSSL_clear_free(ctx->constant, ctx->constant_len); ++ memset(ctx, 0, sizeof(*ctx)); ++} ++ ++static int krb5kdf_derive(EVP_KDF_IMPL *ctx, unsigned char *key, ++ size_t keylen) ++{ ++ if (ctx->cipher == NULL) { ++ KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_CIPHER); ++ return 0; ++ } ++ if (ctx->key == NULL) { ++ KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_KEY); ++ return 0; ++ } ++ if (ctx->constant == NULL) { ++ KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_CONSTANT); ++ return 0; ++ } ++ return KRB5KDF(ctx->cipher, ctx->key, ctx->key_len, ++ ctx->constant, ctx->constant_len, ++ key, keylen); ++} ++ ++static size_t krb5kdf_size(EVP_KDF_IMPL *ctx) ++{ ++ if (ctx->cipher != NULL) ++ return EVP_CIPHER_key_length(ctx->cipher); ++ else ++ return EVP_MAX_KEY_LENGTH; ++} ++ ++ ++static int krb5kdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len, ++ va_list args) ++{ ++ const unsigned char *p; ++ size_t len; ++ ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ OPENSSL_clear_free(*dst, *dst_len); ++ *dst = OPENSSL_memdup(p, len); ++ if (*dst == NULL) ++ return 0; ++ ++ *dst_len = len; ++ return 1; ++} ++ ++static int krb5kdf_ctrl(EVP_KDF_IMPL *ctx, int cmd, va_list args) ++{ ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_CIPHER: ++ ctx->cipher = va_arg(args, const EVP_CIPHER *); ++ if (ctx->cipher == NULL) ++ return 0; ++ ++ return 1; ++ ++ case EVP_KDF_CTRL_SET_KEY: ++ return krb5kdf_parse_buffer_arg(&ctx->key, ++ &ctx->key_len, args); ++ ++ case EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT: ++ return krb5kdf_parse_buffer_arg(&ctx->constant, ++ &ctx->constant_len, args); ++ default: ++ return -2; ++ ++ } ++} ++ ++static int krb5kdf_ctrl_str(EVP_KDF_IMPL *ctx, const char *type, ++ const char *value) ++{ ++ if (value == NULL) { ++ KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING); ++ return 0; ++ } ++ ++ if (strcmp(type, "cipher") == 0) ++ return kdf_cipher2ctrl(ctx, krb5kdf_ctrl, EVP_KDF_CTRL_SET_CIPHER, value); ++ ++ if (strcmp(type, "key") == 0) ++ return kdf_str2ctrl(ctx, krb5kdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "hexkey") == 0) ++ return kdf_hex2ctrl(ctx, krb5kdf_ctrl, ++ EVP_KDF_CTRL_SET_KEY, value); ++ ++ if (strcmp(type, "constant") == 0) ++ return kdf_str2ctrl(ctx, krb5kdf_ctrl, ++ EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, value); ++ ++ if (strcmp(type, "hexconstant") == 0) ++ return kdf_hex2ctrl(ctx, krb5kdf_ctrl, ++ EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, value); ++ ++ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); ++ return -2; ++} ++ ++ ++#ifndef OPENSSL_NO_DES ++/* ++ * DES3 is a special case, it requires a random-to-key function and its ++ * input truncated to 21 bytes of the 24 produced by the cipher. ++ * See RFC3961 6.3.1 ++ */ ++static int fixup_des3_key(unsigned char *key) ++{ ++ unsigned char *cblock; ++ int i, j; ++ ++ for (i = 2; i >= 0; i--) { ++ cblock = &key[i * 8]; ++ memmove(cblock, &key[i * 7], 7); ++ cblock[7] = 0; ++ for (j = 0; j < 7; j++) ++ cblock[7] |= (cblock[j] & 1) << (j + 1); ++ DES_set_odd_parity((DES_cblock *)cblock); ++ } ++ ++ /* fail if keys are such that triple des degrades to single des */ ++ if (CRYPTO_memcmp(&key[0], &key[8], 8) == 0 || ++ CRYPTO_memcmp(&key[8], &key[16], 8) == 0) { ++ return 0; ++ } ++ ++ return 1; ++} ++#endif ++ ++/* ++ * N-fold(K) where blocksize is N, and constant_len is K ++ * Note: Here |= denotes concatenation ++ * ++ * L = lcm(N,K) ++ * R = L/K ++ * ++ * for r: 1 -> R ++ * s |= constant rot 13*(r-1)) ++ * ++ * block = 0 ++ * for k: 1 -> K ++ * block += s[N(k-1)..(N-1)k] (one's complement addition) ++ * ++ * Optimizing for space we compute: ++ * for each l in L-1 -> 0: ++ * s[l] = (constant rot 13*(l/K))[l%k] ++ * block[l % N] += s[l] (with carry) ++ * finally add carry if any ++ */ ++static void n_fold(unsigned char *block, unsigned int blocksize, ++ const unsigned char *constant, size_t constant_len) ++{ ++ unsigned int tmp, gcd, remainder, lcm, carry; ++ int b, l; ++ ++ if (constant_len == blocksize) { ++ memcpy(block, constant, constant_len); ++ return; ++ } ++ ++ /* Least Common Multiple of lengths: LCM(a,b)*/ ++ gcd = blocksize; ++ remainder = constant_len; ++ /* Calculate Great Common Divisor first GCD(a,b) */ ++ while (remainder != 0) { ++ tmp = gcd % remainder; ++ gcd = remainder; ++ remainder = tmp; ++ } ++ /* resulting a is the GCD, LCM(a,b) = |a*b|/GCD(a,b) */ ++ lcm = blocksize * constant_len / gcd; ++ ++ /* now spread out the bits */ ++ memset(block, 0, blocksize); ++ ++ /* last to first to be able to bring carry forward */ ++ carry = 0; ++ for (l = lcm - 1; l >= 0; l--) { ++ unsigned int rotbits, rshift, rbyte; ++ ++ /* destination byte in block is l % N */ ++ b = l % blocksize; ++ /* Our virtual s buffer is R = L/K long (K = constant_len) */ ++ /* So we rotate backwards from R-1 to 0 (none) rotations */ ++ rotbits = 13 * (l / constant_len); ++ /* find the byte on s where rotbits falls onto */ ++ rbyte = l - (rotbits / 8); ++ /* calculate how much shift on that byte */ ++ rshift = rotbits & 0x07; ++ /* rbyte % constant_len gives us the unrotated byte in the ++ * constant buffer, get also the previous byte then ++ * appropriately shift them to get the rotated byte we need */ ++ tmp = (constant[(rbyte-1) % constant_len] << (8 - rshift) ++ | constant[rbyte % constant_len] >> rshift) ++ & 0xff; ++ /* add with carry to any value placed by previous passes */ ++ tmp += carry + block[b]; ++ block[b] = tmp & 0xff; ++ /* save any carry that may be left */ ++ carry = tmp >> 8; ++ } ++ ++ /* if any carry is left at the end, add it through the number */ ++ for (b = blocksize - 1; b >= 0 && carry != 0; b--) { ++ carry += block[b]; ++ block[b] = carry & 0xff; ++ carry >>= 8; ++ } ++} ++ ++static int cipher_init(EVP_CIPHER_CTX *ctx, ++ const EVP_CIPHER *cipher, ++ const unsigned char *key, size_t key_len) ++{ ++ int klen, ret; ++ ++ ret = EVP_EncryptInit_ex(ctx, cipher, NULL, key, NULL); ++ if (!ret) ++ goto out; ++ /* set the key len for the odd variable key len cipher */ ++ klen = EVP_CIPHER_CTX_key_length(ctx); ++ if (key_len != (size_t)klen) { ++ ret = EVP_CIPHER_CTX_set_key_length(ctx, key_len); ++ if (!ret) ++ goto out; ++ } ++ /* we never want padding, either the length requested is a multiple of ++ * the cipher block size or we are passed a cipher that can cope with ++ * partial blocks via techniques like cipher text stealing */ ++ ret = EVP_CIPHER_CTX_set_padding(ctx, 0); ++ if (!ret) ++ goto out; ++ ++out: ++ return ret; ++} ++ ++static int KRB5KDF(const EVP_CIPHER *cipher, ++ const unsigned char *key, size_t key_len, ++ const unsigned char *constant, size_t constant_len, ++ unsigned char *okey, size_t okey_len) ++{ ++ EVP_CIPHER_CTX *ctx = NULL; ++ unsigned char block[EVP_MAX_BLOCK_LENGTH * 2]; ++ unsigned char *plainblock, *cipherblock; ++ size_t blocksize; ++ size_t cipherlen; ++ size_t osize; ++ int des3_no_fixup = 0; ++ int ret; ++ ++ if (key_len != okey_len) { ++ /* special case for 3des, where the caller may be requesting ++ * the random raw key, instead of the fixed up key */ ++ if (EVP_CIPHER_nid(cipher) == NID_des_ede3_cbc && ++ key_len == 24 && okey_len == 21) { ++ des3_no_fixup = 1; ++ } else { ++ KDFerr(KDF_F_KRB5KDF, KDF_R_WRONG_OUTPUT_BUFFER_SIZE); ++ return 0; ++ } ++ } ++ ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) ++ return 0; ++ ++ ret = cipher_init(ctx, cipher, key, key_len); ++ if (!ret) ++ goto out; ++ ++ /* Initialize input block */ ++ blocksize = EVP_CIPHER_CTX_block_size(ctx); ++ ++ if (constant_len > blocksize) { ++ KDFerr(KDF_F_KRB5KDF, KDF_R_INVALID_CONSTANT_LENGTH); ++ ret = 0; ++ goto out; ++ } ++ ++ n_fold(block, blocksize, constant, constant_len); ++ plainblock = block; ++ cipherblock = block + EVP_MAX_BLOCK_LENGTH; ++ ++ for (osize = 0; osize < okey_len; osize += cipherlen) { ++ int olen; ++ ++ ret = EVP_EncryptUpdate(ctx, cipherblock, &olen, ++ plainblock, blocksize); ++ if (!ret) ++ goto out; ++ cipherlen = olen; ++ ret = EVP_EncryptFinal_ex(ctx, cipherblock, &olen); ++ if (!ret) ++ goto out; ++ if (olen != 0) { ++ KDFerr(KDF_F_KRB5KDF, KDF_R_WRONG_FINAL_BLOCK_LENGTH); ++ ret = 0; ++ goto out; ++ } ++ ++ /* write cipherblock out */ ++ if (cipherlen > okey_len - osize) ++ cipherlen = okey_len - osize; ++ memcpy(okey + osize, cipherblock, cipherlen); ++ ++ if (okey_len > osize + cipherlen) { ++ /* we need to reinitialize cipher context per spec */ ++ ret = EVP_CIPHER_CTX_reset(ctx); ++ if (!ret) ++ goto out; ++ ret = cipher_init(ctx, cipher, key, key_len); ++ if (!ret) ++ goto out; ++ ++ /* also swap block offsets so last ciphertext becomes new ++ * plaintext */ ++ plainblock = cipherblock; ++ if (cipherblock == block) { ++ cipherblock += EVP_MAX_BLOCK_LENGTH; ++ } else { ++ cipherblock = block; ++ } ++ } ++ } ++ ++#ifndef OPENSSL_NO_DES ++ if (EVP_CIPHER_nid(cipher) == NID_des_ede3_cbc && !des3_no_fixup) { ++ ret = fixup_des3_key(okey); ++ if (!ret) { ++ KDFerr(KDF_F_KRB5KDF, KDF_R_FAILED_TO_GENERATE_KEY); ++ goto out; ++ } ++ } ++#endif ++ ++ ret = 1; ++ ++out: ++ EVP_CIPHER_CTX_free(ctx); ++ OPENSSL_cleanse(block, EVP_MAX_BLOCK_LENGTH * 2); ++ return ret; ++} ++ ++const EVP_KDF_METHOD krb5kdf_kdf_meth = { ++ EVP_KDF_KRB5KDF, ++ krb5kdf_new, ++ krb5kdf_free, ++ krb5kdf_reset, ++ krb5kdf_ctrl, ++ krb5kdf_ctrl_str, ++ krb5kdf_size, ++ krb5kdf_derive, ++}; ++ diff -up openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1d/crypto/objects/obj_dat.h ---- openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 -+++ openssl-1.1.1d/crypto/objects/obj_dat.h 2019-11-12 13:30:36.285748541 +0100 +--- openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf 2019-11-13 12:11:34.706656232 +0100 ++++ openssl-1.1.1d/crypto/objects/obj_dat.h 2019-11-13 12:11:34.731655787 +0100 @@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ }; -#define NUM_NID 1196 -+#define NUM_NID 1197 ++#define NUM_NID 1198 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, -@@ -2276,9 +2276,10 @@ static const ASN1_OBJECT nid_objs[NUM_NI +@@ -2276,9 +2276,11 @@ static const ASN1_OBJECT nid_objs[NUM_NI {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, {"SSHKDF", "sshkdf", NID_sshkdf}, + {"KBKDF", "kbkdf", NID_kbkdf}, ++ {"KRB5KDF", "krb5kdf", NID_krb5kdf}, }; -#define NUM_SN 1187 -+#define NUM_SN 1188 ++#define NUM_SN 1189 static const unsigned int sn_objs[NUM_SN] = { 364, /* "AD_DVCS" */ 419, /* "AES-128-CBC" */ -@@ -2442,6 +2443,7 @@ static const unsigned int sn_objs[NUM_SN +@@ -2442,7 +2444,9 @@ static const unsigned int sn_objs[NUM_SN 183, /* "ISO-US" */ 645, /* "ITU-T" */ 646, /* "JOINT-ISO-ITU-T" */ + 1196, /* "KBKDF" */ 773, /* "KISA" */ ++ 1197, /* "KRB5KDF" */ 1063, /* "KxANY" */ 1039, /* "KxDHE" */ -@@ -3469,7 +3471,7 @@ static const unsigned int sn_objs[NUM_SN + 1041, /* "KxDHE-PSK" */ +@@ -3469,7 +3473,7 @@ static const unsigned int sn_objs[NUM_SN 1093, /* "x509ExtAdmission" */ }; -#define NUM_LN 1187 -+#define NUM_LN 1188 ++#define NUM_LN 1189 static const unsigned int ln_objs[NUM_LN] = { 363, /* "AD Time Stamping" */ 405, /* "ANSI X9.62" */ -@@ -4262,6 +4264,7 @@ static const unsigned int ln_objs[NUM_LN +@@ -4262,8 +4266,10 @@ static const unsigned int ln_objs[NUM_LN 957, /* "jurisdictionCountryName" */ 955, /* "jurisdictionLocalityName" */ 956, /* "jurisdictionStateOrProvinceName" */ + 1196, /* "kbkdf" */ 150, /* "keyBag" */ 773, /* "kisa" */ ++ 1197, /* "krb5kdf" */ 1063, /* "kx-any" */ + 1039, /* "kx-dhe" */ + 1041, /* "kx-dhe-psk" */ diff -up openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1d/crypto/objects/objects.txt ---- openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 -+++ openssl-1.1.1d/crypto/objects/objects.txt 2019-11-12 13:30:36.286748523 +0100 -@@ -1603,6 +1603,9 @@ secg-scheme 14 3 : dhSinglePass-cofactor +--- openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf 2019-11-13 12:11:34.707656215 +0100 ++++ openssl-1.1.1d/crypto/objects/objects.txt 2019-11-13 12:11:34.731655787 +0100 +@@ -1603,6 +1603,12 @@ secg-scheme 14 3 : dhSinglePass-cofactor # NID for SSHKDF : SSHKDF : sshkdf +# NID for KBKDF + : KBKDF : kbkdf ++ ++# NID for KRB5KDF ++ : KRB5KDF : krb5kdf + # RFC 4556 1 3 6 1 5 2 3 : id-pkinit id-pkinit 4 : pkInitClientAuth : PKINIT Client Auth diff -up openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1d/crypto/objects/obj_mac.num ---- openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 -+++ openssl-1.1.1d/crypto/objects/obj_mac.num 2019-11-12 13:30:36.286748523 +0100 -@@ -1193,3 +1193,4 @@ magma_mac 1192 +--- openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf 2019-11-13 12:11:34.707656215 +0100 ++++ openssl-1.1.1d/crypto/objects/obj_mac.num 2019-11-13 12:11:34.732655769 +0100 +@@ -1193,3 +1193,5 @@ magma_mac 1192 hmacWithSHA512_224 1193 hmacWithSHA512_256 1194 sshkdf 1195 +kbkdf 1196 ++krb5kdf 1197 diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod ---- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-12 13:30:36.254749099 +0100 -+++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-11-12 13:30:36.286748523 +0100 +--- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-13 12:11:34.698656375 +0100 ++++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-11-13 12:11:34.732655769 +0100 @@ -140,7 +140,14 @@ The value string is expected to be a dec This control expects one argument: C @@ -732,9 +1209,9 @@ diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1d/doc/man EVP_KDF_ctrl_str() type string: "md" diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod ---- openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-12 13:30:36.286748523 +0100 -+++ openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod 2019-11-12 13:30:36.286748523 +0100 -@@ -0,0 +1,177 @@ +--- openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-13 12:11:34.732655769 +0100 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod 2019-11-13 12:11:34.732655769 +0100 +@@ -0,0 +1,173 @@ +=pod + +=head1 NAME @@ -865,13 +1342,9 @@ diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7 + unsigned char out[10]; + unsigned char *iv = "sixteen bytes iv"; + -+ kdf = EVP_KDF_fetch(NULL, "KBKDF", NULL); -+ kctx = EVP_KDF_CTX_new(kdf); -+ EVP_KDF_free(kdf); -+ + kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); + -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_256_ecb()); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_256_cbc()); + EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC); + EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK); + EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret")); @@ -912,9 +1385,120 @@ diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7 +L. + +=cut +diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod +--- openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf 2019-11-13 12:11:34.732655769 +0100 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod 2019-11-13 12:11:34.732655769 +0100 +@@ -0,0 +1,107 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_KRB5KDF - The RFC3961 Krb5 KDF EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++Support for computing the B KDF through the B API. ++ ++The B algorithm implements the key derivation function defined ++in RFC 3961, section 5.1 and is used by Krb5 to derive session keys. ++Three inputs are required to perform key derivation: a cipher, (for example ++AES-128-CBC), the initial key, and a constant. ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it can be used with the ++EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++=item B ++ ++These controls work as described in L. ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++This control sets the I value for the KDF. ++If a value is already set, the contents are replaced. ++ ++=back ++ ++ ++=head1 NOTES ++ ++A context for KRB5KDF can be obtained by calling: ++ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF); ++ ++The output length of the KRB5KDF derivation is specified via the I ++parameter to the L function, and MUST match the key ++length for the chosen cipher or an error is returned. Moreover the ++I's length must not exceed the block size of the cipher. ++Since the KRB5KDF output length depends on the chosen cipher, calling ++L to obtain the requisite length returns the correct length ++only after the cipher is set. Prior to that B is returned. ++The caller must allocate a buffer of the correct length for the chosen ++cipher, and pass that buffer to the L function along ++with that length. ++ ++=head1 EXAMPLES ++ ++This example derives a key using the AES-128-CBC cipher: ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char key[16] = "01234..."; ++ unsigned char constant[] = "I'm a constant"; ++ unsigned char out[16]; ++ size_t outlen = sizeof(out); ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF); ++ ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc()); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, (size_t)16); ++ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, strlen(constant)); ++ if (EVP_KDF_derive(kctx, out, outlen) <= 0) ++ /* Error */ ++ EVP_KDF_CTX_free(kctx); ++ ++=head1 CONFORMING TO ++ ++RFC 3961 ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 HISTORY ++ ++This functionality was added to OpenSSL 3.0. ++ ++=head1 COPYRIGHT ++ ++Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the OpenSSL license (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut ++ diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include/openssl/kdferr.h ---- openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf 2019-11-12 13:30:36.264748919 +0100 -+++ openssl-1.1.1d/include/openssl/kdferr.h 2019-11-12 13:30:36.286748523 +0100 +--- openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf 2019-11-13 12:11:34.708656197 +0100 ++++ openssl-1.1.1d/include/openssl/kdferr.h 2019-11-13 12:11:34.732655769 +0100 @@ -24,6 +24,11 @@ int ERR_load_KDF_strings(void); * KDF function codes. */ @@ -927,28 +1511,50 @@ diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include # define KDF_F_KDF_HKDF_DERIVE 113 # define KDF_F_KDF_HKDF_NEW 114 # define KDF_F_KDF_HKDF_SIZE 115 -@@ -61,7 +66,9 @@ int ERR_load_KDF_strings(void); +@@ -43,6 +48,8 @@ int ERR_load_KDF_strings(void); + # define KDF_F_KDF_TLS1_PRF_CTRL_STR 125 + # define KDF_F_KDF_TLS1_PRF_DERIVE 126 + # define KDF_F_KDF_TLS1_PRF_NEW 127 ++# define KDF_F_KRB5KDF 139 ++# define KDF_F_KRB5KDF_DERIVE 140 + # define KDF_F_PBKDF2_SET_MEMBUF 128 + # define KDF_F_PKEY_HKDF_CTRL_STR 103 + # define KDF_F_PKEY_HKDF_DERIVE 102 +@@ -61,7 +68,13 @@ int ERR_load_KDF_strings(void); /* * KDF reason codes. */ ++# define KDF_R_FAILED_TO_GENERATE_KEY 118 +# define KDF_R_INVALID_CIPHER 116 ++# define KDF_R_INVALID_CONSTANT_LENGTH 119 # define KDF_R_INVALID_DIGEST 100 +# define KDF_R_INVALID_SEED_LENGTH 117 ++# define KDF_R_MISSING_CIPHER 120 ++# define KDF_R_MISSING_CONSTANT 121 # define KDF_R_MISSING_ITERATION_COUNT 109 # define KDF_R_MISSING_KEY 104 # define KDF_R_MISSING_MESSAGE_DIGEST 105 +@@ -76,6 +89,7 @@ int ERR_load_KDF_strings(void); + # define KDF_R_UNKNOWN_PARAMETER_TYPE 103 + # define KDF_R_VALUE_ERROR 108 + # define KDF_R_VALUE_MISSING 102 ++# define KDF_R_WRONG_FINAL_BLOCK_LENGTH 122 + # define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112 + + #endif diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/openssl/kdf.h ---- openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf 2019-11-12 13:30:36.263748937 +0100 -+++ openssl-1.1.1d/include/openssl/kdf.h 2019-11-12 13:30:36.287748505 +0100 -@@ -21,6 +21,7 @@ extern "C" { +--- openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf 2019-11-13 12:11:34.708656197 +0100 ++++ openssl-1.1.1d/include/openssl/kdf.h 2019-11-13 12:11:34.733655752 +0100 +@@ -21,6 +21,8 @@ extern "C" { # define EVP_KDF_TLS1_PRF NID_tls1_prf # define EVP_KDF_HKDF NID_hkdf # define EVP_KDF_SSHKDF NID_sshkdf +# define EVP_KDF_KB NID_kbkdf ++# define EVP_KDF_KRB5KDF NID_krb5kdf EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id); void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); -@@ -51,6 +52,11 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns +@@ -51,6 +53,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns # define EVP_KDF_CTRL_SET_SSHKDF_XCGHASH 0x10 /* unsigned char *, size_t */ # define EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID 0x11 /* unsigned char *, size_t */ # define EVP_KDF_CTRL_SET_SSHKDF_TYPE 0x12 /* int */ @@ -957,10 +1563,11 @@ diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/op +# define EVP_KDF_CTRL_SET_CIPHER 0x15 /* EVP_CIPHER * */ +# define EVP_KDF_CTRL_SET_KB_INFO 0x16 /* unsigned char *, size_t */ +# define EVP_KDF_CTRL_SET_KB_SEED 0x17 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT 0x18 /* unsigned char *, size_t */ # define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0 # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 -@@ -63,6 +69,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns +@@ -63,6 +71,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69 #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70 @@ -974,23 +1581,27 @@ diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/op # define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL) diff -up openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1d/include/openssl/obj_mac.h ---- openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf 2019-11-12 13:30:36.264748919 +0100 -+++ openssl-1.1.1d/include/openssl/obj_mac.h 2019-11-12 13:30:36.287748505 +0100 -@@ -4974,6 +4974,10 @@ +--- openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf 2019-11-13 12:11:34.708656197 +0100 ++++ openssl-1.1.1d/include/openssl/obj_mac.h 2019-11-13 12:11:34.733655752 +0100 +@@ -4974,6 +4974,14 @@ #define LN_sshkdf "sshkdf" #define NID_sshkdf 1203 +#define SN_kbkdf "KBKDF" +#define LN_kbkdf "kbkdf" +#define NID_kbkdf 1204 ++ ++#define SN_krb5kdf "KRB5KDF" ++#define LN_krb5kdf "krb5kdf" ++#define NID_krb5kdf 1205 + #define SN_id_pkinit "id-pkinit" #define NID_id_pkinit 1031 #define OBJ_id_pkinit 1L,3L,6L,1L,5L,2L,3L diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf_test.c ---- openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf 2019-11-12 13:30:36.257749045 +0100 -+++ openssl-1.1.1d/test/evp_kdf_test.c 2019-11-12 16:35:19.265237664 +0100 -@@ -225,8 +225,261 @@ err: +--- openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf 2019-11-13 12:11:34.700656339 +0100 ++++ openssl-1.1.1d/test/evp_kdf_test.c 2019-11-13 12:28:33.933507568 +0100 +@@ -225,13 +225,311 @@ err: } #endif @@ -1242,6 +1853,50 @@ diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf + EVP_KDF_CTX_free(kctx); + return ret; +} ++ ++static int test_kdf_krb5kdf(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[16]; ++ static unsigned char key[] = { ++ 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28, ++ 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15 ++ }; ++ static unsigned char constant[] = { ++ 0x00, 0x00, 0x00, 0x02, 0x99 ++ }; ++ static const unsigned char expected[sizeof(out)] = { ++ 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69, ++ 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B ++ }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF)) == NULL) { ++ TEST_error("EVP_KDF_KRB5KDF"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_CIPHER"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, sizeof(constant)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT"); ++ goto err; ++ } ++ ++ ret = ++ TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) ++ && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); ++ ++err: ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + int setup_tests(void) { @@ -1252,3 +1907,136 @@ diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf ADD_TEST(test_kdf_tls1_prf); ADD_TEST(test_kdf_hkdf); ADD_TEST(test_kdf_pbkdf2); + #ifndef OPENSSL_NO_SCRYPT + ADD_TEST(test_kdf_scrypt); + #endif ++ ADD_TEST(test_kdf_krb5kdf); + return 1; + } +diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt +--- openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf 2019-11-13 12:11:34.711656143 +0100 ++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt 2019-11-13 13:24:12.927064479 +0100 +@@ -5286,3 +5286,123 @@ Ctrl.hexsession_id = hexsession_id:a4ebd + Ctrl.type = type:A + Output = FF + Result = KDF_MISMATCH ++ ++Title = KRB5KDF tests (from RFC 3961 test vectors and krb5 sources) ++ ++#RFC3961 ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92 ++Ctrl.hexconstant = hexconstant:0000000155 ++Output = 925179d04591a79b5d3192c4a7e9c289b049c71f6ee604cd ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:5e13d31c70ef765746578531cb51c15bf11ca82c97cee9f2 ++Ctrl.hexconstant = hexconstant:00000001aa ++Output = 9e58e5a146d9942a101c469845d67a20e3c4259ed913f207 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:98e6fd8a04a4b6859b75a176540b9752bad3ecd610a252bc ++Ctrl.hexconstant = hexconstant:0000000155 ++Output = 13fef80d763e94ec6d13fd2ca1d085070249dad39808eabf ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:622aec25a2fe2cad7094680b7c64940280084c1a7cec92b5 ++Ctrl.hexconstant = hexconstant:00000001aa ++Output = f8dfbf04b097e6d9dc0702686bcb3489d91fd9a4516b703e ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:d3f8298ccb166438dcb9b93ee5a7629286a491f838f802fb ++Ctrl.hexconstant = hexconstant:6b65726265726f73 ++Output = 2370da575d2a3da864cebfdc5204d56df779a7df43d9da43 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:c1081649ada74362e6a1459d01dfd30d67c2234c940704da ++Ctrl.hexconstant = hexconstant:0000000155 ++Output = 348057ec98fdc48016161c2a4c7a943e92ae492c989175f7 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:5d154af238f46713155719d55e2f1f790dd661f279a7917c ++Ctrl.hexconstant = hexconstant:00000001aa ++Output = a8808ac267dada3dcbe9a7c84626fbc761c294b01315e5c1 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:798562e049852f57dc8c343ba17f2ca1d97394efc8adc443 ++Ctrl.hexconstant = hexconstant:0000000155 ++Output = c813f88a3be3b334f75425ce9175fbe3c8493b89c8703b49 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:26dce334b545292f2feab9a8701a89a4b99eb9942cecd016 ++Ctrl.hexconstant = hexconstant:00000001aa ++Output = f48ffd6e83f83e7354e694fd252cf83bfe58f7d5ba37ec5d ++ ++#Krb5 sources ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E ++Ctrl.hexconstant = hexconstant:0000000299 ++Output = F78C496D16E6C2DAE0E0B6C24057A84C0426AEEF26FD6DCE ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E ++Ctrl.hexconstant = hexconstant:00000002AA ++Output = 5B5723D0B634CB684C3EBA5264E9A70D52E683231AD3C4CE ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E ++Ctrl.hexconstant = hexconstant:0000000255 ++Output = A77C94980E9B7345A81525C423A737CE67F4CD91B6B3DA45 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-128-CBC ++Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15 ++Ctrl.hexconstant = hexconstant:0000000299 ++Output = 34280A382BC92769B2DA2F9EF066854B ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-128-CBC ++Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15 ++Ctrl.hexconstant = hexconstant:00000002AA ++Output = 5B14FC4E250E14DDF9DCCF1AF6674F53 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-128-CBC ++Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15 ++Ctrl.hexconstant = hexconstant:0000000255 ++Output = 4ED31063621684F09AE8D89991AF3E8F ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-256-CBC ++Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161 ++Ctrl.hexconstant = hexconstant:0000000299 ++Output = BFAB388BDCB238E9F9C98D6A878304F04D30C82556375AC507A7A852790F4674 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-256-CBC ++Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161 ++Ctrl.hexconstant = hexconstant:00000002AA ++Output = C7CFD9CD75FE793A586A542D87E0D1396F1134A104BB1A9190B8C90ADA3DDF37 ++ ++KDF = KRB5KDF ++Ctrl.cipher = cipher:AES-256-CBC ++Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161 ++Ctrl.hexconstant = hexconstant:0000000255 ++Output = 97151B4C76945063E2EB0529DC067D97D7BBA90776D8126D91F34F3101AEA8BA ++ ++#Same as the first but with no "fixup" ++KDF = KRB5KDF ++Ctrl.cipher = cipher:DES-EDE3-CBC ++Ctrl.hexkey = hexkey:dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92 ++Ctrl.hexconstant = hexconstant:0000000155 ++Output = 935079d14490a75c3093c4a6e8c3b049c71e6ee705 ++ diff --git a/openssl.spec b/openssl.spec index 859f4ea..21f9700 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1d -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -62,6 +62,7 @@ Patch47: openssl-1.1.1-ts-sha256-default.patch Patch48: openssl-1.1.1-fips-post-rand.patch Patch49: openssl-1.1.1-evp-kdf.patch Patch50: openssl-1.1.1-ssh-kdf.patch +Patch60: openssl-1.1.1-krb5-kdf.patch # Backported fixes including security fixes Patch51: openssl-1.1.1-upstream-sync.patch Patch52: openssl-1.1.1-s390x-update.patch @@ -170,6 +171,7 @@ cp %{SOURCE13} test/ %patch53 -p1 -b .crng-test %patch54 -p1 -b .regression %patch55 -p1 -b .aes-asm +%patch60 -p1 -b .krb5-kdf %build @@ -456,6 +458,9 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Wed Nov 13 2019 Tomáš Mráz 1.1.1d-3 +- backport of KBKDF and KRB5KDF from master + * Thu Oct 3 2019 Tomáš Mráz 1.1.1d-2 - re-enable the stitched AES-CBC-SHA implementations - make AES-GCM work in FIPS mode again From 0536b721eff43ade2c439244122cabb8838b9b8a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 14 Nov 2019 16:13:49 +0100 Subject: [PATCH 8/8] backport of SSKDF from master --- openssl-1.1.1-krb5-kdf.patch | 1077 +++++++++++++++++++++++++++++++--- openssl.spec | 5 +- 2 files changed, 1015 insertions(+), 67 deletions(-) diff --git a/openssl-1.1.1-krb5-kdf.patch b/openssl-1.1.1-krb5-kdf.patch index 23d9b47..dd5b021 100644 --- a/openssl-1.1.1-krb5-kdf.patch +++ b/openssl-1.1.1-krb5-kdf.patch @@ -1,6 +1,6 @@ diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/err/openssl.txt ---- openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf 2019-11-13 12:11:34.705656250 +0100 -+++ openssl-1.1.1d/crypto/err/openssl.txt 2019-11-13 12:11:34.728655841 +0100 +--- openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 ++++ openssl-1.1.1d/crypto/err/openssl.txt 2019-11-14 15:07:05.342094129 +0100 @@ -821,6 +821,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g EVP_F_SCRYPT_ALG:228:scrypt_alg EVP_F_UPDATE:173:update @@ -22,7 +22,17 @@ diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/er KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive -@@ -2325,7 +2332,13 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsuppor +@@ -853,6 +860,9 @@ KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tl + KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive + KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init + KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf ++KDF_F_SSKDF_DERIVE:141:sskdf_derive ++KDF_F_SSKDF_NEW:142:sskdf_new ++KDF_F_SSKDF_SIZE:143:sskdf_size + KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg + OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object + OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid +@@ -2325,7 +2335,13 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsuppor EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys @@ -36,7 +46,7 @@ diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/er KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count KDF_R_MISSING_KEY:104:missing key KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest -@@ -2340,6 +2353,7 @@ KDF_R_MISSING_XCGHASH:115:missing xcghas +@@ -2340,6 +2356,7 @@ KDF_R_MISSING_XCGHASH:115:missing xcghas KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type KDF_R_VALUE_ERROR:108:value error KDF_R_VALUE_MISSING:102:value missing @@ -45,41 +55,43 @@ diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/er OBJ_R_OID_EXISTS:102:oid exists OBJ_R_UNKNOWN_NID:101:unknown nid diff -up openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1d/crypto/evp/kdf_lib.c ---- openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-13 12:11:34.705656250 +0100 -+++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-11-13 12:11:34.729655823 +0100 -@@ -31,6 +31,8 @@ static const EVP_KDF_METHOD *standard_me +--- openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 ++++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-11-14 15:07:05.342094129 +0100 +@@ -31,6 +31,9 @@ static const EVP_KDF_METHOD *standard_me &tls1_prf_kdf_meth, &hkdf_kdf_meth, &sshkdf_kdf_meth, + &kb_kdf_meth, + &krb5kdf_kdf_meth, ++ &ss_kdf_meth }; DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, diff -up openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf openssl-1.1.1d/crypto/include/internal/evp_int.h ---- openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf 2019-11-13 12:11:34.705656250 +0100 -+++ openssl-1.1.1d/crypto/include/internal/evp_int.h 2019-11-13 12:11:34.729655823 +0100 -@@ -130,6 +130,8 @@ extern const EVP_KDF_METHOD scrypt_kdf_m +--- openssl-1.1.1d/crypto/include/internal/evp_int.h.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 ++++ openssl-1.1.1d/crypto/include/internal/evp_int.h 2019-11-14 15:07:05.342094129 +0100 +@@ -130,6 +130,9 @@ extern const EVP_KDF_METHOD scrypt_kdf_m extern const EVP_KDF_METHOD tls1_prf_kdf_meth; extern const EVP_KDF_METHOD hkdf_kdf_meth; extern const EVP_KDF_METHOD sshkdf_kdf_meth; +extern const EVP_KDF_METHOD kb_kdf_meth; +extern const EVP_KDF_METHOD krb5kdf_kdf_meth; ++extern const EVP_KDF_METHOD ss_kdf_meth; struct evp_md_st { int type; diff -up openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf openssl-1.1.1d/crypto/kdf/build.info ---- openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf 2019-11-13 12:11:34.705656250 +0100 -+++ openssl-1.1.1d/crypto/kdf/build.info 2019-11-13 12:11:34.729655823 +0100 +--- openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 ++++ openssl-1.1.1d/crypto/kdf/build.info 2019-11-14 15:07:05.342094129 +0100 @@ -1,3 +1,3 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c -+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c krb5kdf.c ++ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c krb5kdf.c sskdf.c diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kbkdf.c ---- openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-13 12:11:34.729655823 +0100 -+++ openssl-1.1.1d/crypto/kdf/kbkdf.c 2019-11-13 12:11:34.729655823 +0100 -@@ -0,0 +1,529 @@ +--- openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-14 15:07:05.343094112 +0100 ++++ openssl-1.1.1d/crypto/kdf/kbkdf.c 2019-11-14 16:07:15.385324361 +0100 +@@ -0,0 +1,530 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2019 Red Hat, Inc. @@ -183,6 +195,7 @@ diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kb + HMAC_CTX_free(ctx->m.hmac); + else + CMAC_CTX_free(ctx->m.cmac); ++ OPENSSL_free(ctx); +} + +static MAC_CTX *EVP_MAC_CTX_dup(MAC_CTX *sctx) @@ -610,8 +623,8 @@ diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kb +}; + diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_err.c ---- openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-13 12:11:34.705656250 +0100 -+++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-11-13 12:11:34.730655805 +0100 +--- openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-11-14 15:07:05.343094112 +0100 @@ -15,6 +15,11 @@ static const ERR_STRING_DATA KDF_str_functs[] = { @@ -633,7 +646,15 @@ diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/ {ERR_PACK(ERR_LIB_KDF, KDF_F_PBKDF2_SET_MEMBUF, 0), "pbkdf2_set_membuf"}, {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"}, {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"}, -@@ -64,7 +71,14 @@ static const ERR_STRING_DATA KDF_str_fun +@@ -59,12 +66,22 @@ static const ERR_STRING_DATA KDF_str_fun + "pkey_tls1_prf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_INIT, 0), "pkey_tls1_prf_init"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_SCRYPT_SET_MEMBUF, 0), "scrypt_set_membuf"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_DERIVE, 0), "sskdf_derive"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_NEW, 0), "sskdf_new"}, ++ {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_SIZE, 0), "sskdf_size"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_TLS1_PRF_ALG, 0), "tls1_prf_alg"}, + {0, NULL} }; static const ERR_STRING_DATA KDF_str_reasons[] = { @@ -648,7 +669,7 @@ diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_ITERATION_COUNT), "missing iteration count"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"}, -@@ -82,6 +96,8 @@ static const ERR_STRING_DATA KDF_str_rea +@@ -82,6 +99,8 @@ static const ERR_STRING_DATA KDF_str_rea "unknown parameter type"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"}, {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"}, @@ -658,8 +679,8 @@ diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/ "wrong output buffer size"}, {0, NULL} diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_local.h ---- openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-13 12:11:34.697656393 +0100 -+++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-11-13 12:11:34.730655805 +0100 +--- openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-14 15:07:05.313094646 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-11-14 15:07:05.344094093 +0100 @@ -19,4 +19,6 @@ int kdf_hex2ctrl(EVP_KDF_IMPL *impl, int kdf_md2ctrl(EVP_KDF_IMPL *impl, int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), @@ -669,8 +690,8 @@ diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1d/crypto/kd + int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), + int cmd, const char *cipher_name); diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_util.c ---- openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-13 12:11:34.697656393 +0100 -+++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-11-13 12:11:34.730655805 +0100 +--- openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-14 15:07:05.313094646 +0100 ++++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-11-14 15:07:05.344094093 +0100 @@ -71,3 +71,16 @@ int kdf_md2ctrl(EVP_KDF_IMPL *impl, return call_ctrl(ctrl, impl, cmd, md); } @@ -689,8 +710,8 @@ diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1d/crypto/kdf + return call_ctrl(ctrl, impl, cmd, cipher); +} diff -up openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/krb5kdf.c ---- openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf 2019-11-13 12:11:34.730655805 +0100 -+++ openssl-1.1.1d/crypto/kdf/krb5kdf.c 2019-11-13 12:25:50.519417362 +0100 +--- openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf 2019-11-14 15:07:05.344094093 +0100 ++++ openssl-1.1.1d/crypto/kdf/krb5kdf.c 2019-11-14 16:11:17.761978261 +0100 @@ -0,0 +1,417 @@ +/* + * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. @@ -1028,7 +1049,7 @@ diff -up openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/ + /* Initialize input block */ + blocksize = EVP_CIPHER_CTX_block_size(ctx); + -+ if (constant_len > blocksize) { ++ if (constant_len == 0 || constant_len > blocksize) { + KDFerr(KDF_F_KRB5KDF, KDF_R_INVALID_CONSTANT_LENGTH); + ret = 0; + goto out; @@ -1109,32 +1130,289 @@ diff -up openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/ + krb5kdf_derive, +}; + +diff -up openssl-1.1.1d/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/sskdf.c +--- openssl-1.1.1d/crypto/kdf/sskdf.c.krb5-kdf 2019-11-14 15:07:05.344094093 +0100 ++++ openssl-1.1.1d/crypto/kdf/sskdf.c 2019-11-14 15:43:17.603150203 +0100 +@@ -0,0 +1,252 @@ ++/* ++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/* ++ * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final ++ * Section 4.1. ++ * ++ * The Single Step KDF algorithm is given by: ++ * ++ * Result(0) = empty bit string (i.e., the null string). ++ * For i = 1 to reps, do the following: ++ * Increment counter by 1. ++ * Result(i) = Result(i – 1) || H(counter || Z || FixedInfo). ++ * DKM = LeftmostBits(Result(reps), L)) ++ * ++ * NOTES: ++ * Z is a shared secret required to produce the derived key material. ++ * counter is a 4 byte buffer. ++ * FixedInfo is a bit string containing context specific data. ++ * DKM is the output derived key material. ++ * L is the required size of the DKM. ++ * reps = [L / H_outputBits] ++ * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC. ++ * This backported version supports only a hash. ++ * H_outputBits is the length of the output of the auxiliary function H(x). ++ * ++ * Currently there is not a comprehensive list of test vectors for this ++ * algorithm, especially for H(x) = HMAC and H(x) = KMAC. ++ * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "internal/cryptlib.h" ++#include "internal/evp_int.h" ++#include "kdf_local.h" ++ ++struct evp_kdf_impl_st { ++ const EVP_MD *md; /* H(x) = hash */ ++ unsigned char *secret; ++ size_t secret_len; ++ unsigned char *info; ++ size_t info_len; ++}; ++ ++#define SSKDF_MAX_INLEN (1<<30) ++ ++/* ++ * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final ++ * Section 4. One-Step Key Derivation using H(x) = hash(x) ++ */ ++static int SSKDF_hash_kdm(const EVP_MD *kdf_md, ++ const unsigned char *z, size_t z_len, ++ const unsigned char *info, size_t info_len, ++ unsigned char *derived_key, size_t derived_key_len) ++{ ++ int ret = 0, hlen; ++ size_t counter, out_len, len = derived_key_len; ++ unsigned char c[4]; ++ unsigned char mac[EVP_MAX_MD_SIZE]; ++ unsigned char *out = derived_key; ++ EVP_MD_CTX *ctx = NULL, *ctx_init = NULL; ++ ++ if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN ++ || derived_key_len > SSKDF_MAX_INLEN ++ || derived_key_len == 0) ++ return 0; ++ ++ hlen = EVP_MD_size(kdf_md); ++ if (hlen <= 0) ++ return 0; ++ out_len = (size_t)hlen; ++ ++ ctx = EVP_MD_CTX_create(); ++ ctx_init = EVP_MD_CTX_create(); ++ if (ctx == NULL || ctx_init == NULL) ++ goto end; ++ ++ if (!EVP_DigestInit(ctx_init, kdf_md)) ++ goto end; ++ ++ for (counter = 1;; counter++) { ++ c[0] = (unsigned char)((counter >> 24) & 0xff); ++ c[1] = (unsigned char)((counter >> 16) & 0xff); ++ c[2] = (unsigned char)((counter >> 8) & 0xff); ++ c[3] = (unsigned char)(counter & 0xff); ++ ++ if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init) ++ && EVP_DigestUpdate(ctx, c, sizeof(c)) ++ && EVP_DigestUpdate(ctx, z, z_len) ++ && EVP_DigestUpdate(ctx, info, info_len))) ++ goto end; ++ if (len >= out_len) { ++ if (!EVP_DigestFinal_ex(ctx, out, NULL)) ++ goto end; ++ out += out_len; ++ len -= out_len; ++ if (len == 0) ++ break; ++ } else { ++ if (!EVP_DigestFinal_ex(ctx, mac, NULL)) ++ goto end; ++ memcpy(out, mac, len); ++ break; ++ } ++ } ++ ret = 1; ++end: ++ EVP_MD_CTX_destroy(ctx); ++ EVP_MD_CTX_destroy(ctx_init); ++ OPENSSL_cleanse(mac, sizeof(mac)); ++ return ret; ++} ++ ++static EVP_KDF_IMPL *sskdf_new(void) ++{ ++ EVP_KDF_IMPL *impl; ++ ++ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) ++ KDFerr(KDF_F_SSKDF_NEW, ERR_R_MALLOC_FAILURE); ++ return impl; ++} ++ ++static void sskdf_reset(EVP_KDF_IMPL *impl) ++{ ++ OPENSSL_clear_free(impl->secret, impl->secret_len); ++ OPENSSL_clear_free(impl->info, impl->info_len); ++ memset(impl, 0, sizeof(*impl)); ++} ++ ++static void sskdf_free(EVP_KDF_IMPL *impl) ++{ ++ sskdf_reset(impl); ++ OPENSSL_free(impl); ++} ++ ++static int sskdf_set_buffer(va_list args, unsigned char **out, size_t *out_len) ++{ ++ const unsigned char *p; ++ size_t len; ++ ++ p = va_arg(args, const unsigned char *); ++ len = va_arg(args, size_t); ++ if (len == 0 || p == NULL) ++ return 1; ++ ++ OPENSSL_free(*out); ++ *out = OPENSSL_memdup(p, len); ++ if (*out == NULL) ++ return 0; ++ ++ *out_len = len; ++ return 1; ++} ++ ++static int sskdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) ++{ ++ const EVP_MD *md; ++ ++ switch (cmd) { ++ case EVP_KDF_CTRL_SET_KEY: ++ return sskdf_set_buffer(args, &impl->secret, &impl->secret_len); ++ ++ case EVP_KDF_CTRL_SET_SSKDF_INFO: ++ return sskdf_set_buffer(args, &impl->info, &impl->info_len); ++ ++ case EVP_KDF_CTRL_SET_MD: ++ md = va_arg(args, const EVP_MD *); ++ if (md == NULL) ++ return 0; ++ ++ impl->md = md; ++ return 1; ++ ++ default: ++ return -2; ++ } ++} ++ ++static int sskdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type, ++ const char *value) ++{ ++ if (strcmp(type, "secret") == 0 || strcmp(type, "key") == 0) ++ return kdf_str2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_KEY, ++ value); ++ ++ if (strcmp(type, "hexsecret") == 0 || strcmp(type, "hexkey") == 0) ++ return kdf_hex2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_KEY, ++ value); ++ ++ if (strcmp(type, "info") == 0) ++ return kdf_str2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SSKDF_INFO, ++ value); ++ ++ if (strcmp(type, "hexinfo") == 0) ++ return kdf_hex2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SSKDF_INFO, ++ value); ++ ++ if (strcmp(type, "digest") == 0) ++ return kdf_md2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_MD, value); ++ ++ return -2; ++} ++ ++static size_t sskdf_size(EVP_KDF_IMPL *impl) ++{ ++ int len; ++ ++ if (impl->md == NULL) { ++ KDFerr(KDF_F_SSKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST); ++ return 0; ++ } ++ len = EVP_MD_size(impl->md); ++ return (len <= 0) ? 0 : (size_t)len; ++} ++ ++static int sskdf_derive(EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen) ++{ ++ if (impl->secret == NULL) { ++ KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_MISSING_SECRET); ++ return 0; ++ } ++ ++ /* H(x) = hash */ ++ if (impl->md == NULL) { ++ KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); ++ return 0; ++ } ++ return SSKDF_hash_kdm(impl->md, impl->secret, impl->secret_len, ++ impl->info, impl->info_len, key, keylen); ++} ++ ++const EVP_KDF_METHOD ss_kdf_meth = { ++ EVP_KDF_SS, ++ sskdf_new, ++ sskdf_free, ++ sskdf_reset, ++ sskdf_ctrl, ++ sskdf_ctrl_str, ++ sskdf_size, ++ sskdf_derive ++}; diff -up openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1d/crypto/objects/obj_dat.h ---- openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf 2019-11-13 12:11:34.706656232 +0100 -+++ openssl-1.1.1d/crypto/objects/obj_dat.h 2019-11-13 12:11:34.731655787 +0100 +--- openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf 2019-11-14 15:07:05.322094485 +0100 ++++ openssl-1.1.1d/crypto/objects/obj_dat.h 2019-11-14 15:07:05.345094076 +0100 @@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ }; -#define NUM_NID 1196 -+#define NUM_NID 1198 ++#define NUM_NID 1199 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, -@@ -2276,9 +2276,11 @@ static const ASN1_OBJECT nid_objs[NUM_NI +@@ -2276,9 +2276,12 @@ static const ASN1_OBJECT nid_objs[NUM_NI {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, {"SSHKDF", "sshkdf", NID_sshkdf}, + {"KBKDF", "kbkdf", NID_kbkdf}, + {"KRB5KDF", "krb5kdf", NID_krb5kdf}, ++ {"SSKDF", "sskdf", NID_sskdf}, }; -#define NUM_SN 1187 -+#define NUM_SN 1189 ++#define NUM_SN 1190 static const unsigned int sn_objs[NUM_SN] = { 364, /* "AD_DVCS" */ 419, /* "AES-128-CBC" */ -@@ -2442,7 +2444,9 @@ static const unsigned int sn_objs[NUM_SN +@@ -2442,7 +2445,9 @@ static const unsigned int sn_objs[NUM_SN 183, /* "ISO-US" */ 645, /* "ITU-T" */ 646, /* "JOINT-ISO-ITU-T" */ @@ -1144,16 +1422,24 @@ diff -up openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1d/crypto/ 1063, /* "KxANY" */ 1039, /* "KxDHE" */ 1041, /* "KxDHE-PSK" */ -@@ -3469,7 +3473,7 @@ static const unsigned int sn_objs[NUM_SN +@@ -2557,6 +2562,7 @@ static const unsigned int sn_objs[NUM_SN + 100, /* "SN" */ + 1006, /* "SNILS" */ + 1195, /* "SSHKDF" */ ++ 1198, /* "SSKDF" */ + 16, /* "ST" */ + 143, /* "SXNetID" */ + 1062, /* "SipHash" */ +@@ -3469,7 +3475,7 @@ static const unsigned int sn_objs[NUM_SN 1093, /* "x509ExtAdmission" */ }; -#define NUM_LN 1187 -+#define NUM_LN 1189 ++#define NUM_LN 1190 static const unsigned int ln_objs[NUM_LN] = { 363, /* "AD Time Stamping" */ 405, /* "ANSI X9.62" */ -@@ -4262,8 +4266,10 @@ static const unsigned int ln_objs[NUM_LN +@@ -4262,8 +4268,10 @@ static const unsigned int ln_objs[NUM_LN 957, /* "jurisdictionCountryName" */ 955, /* "jurisdictionLocalityName" */ 956, /* "jurisdictionStateOrProvinceName" */ @@ -1164,10 +1450,18 @@ diff -up openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1d/crypto/ 1063, /* "kx-any" */ 1039, /* "kx-dhe" */ 1041, /* "kx-dhe-psk" */ +@@ -4612,6 +4620,7 @@ static const unsigned int ln_objs[NUM_LN + 1133, /* "sm4-ecb" */ + 1135, /* "sm4-ofb" */ + 1195, /* "sshkdf" */ ++ 1198, /* "sskdf" */ + 16, /* "stateOrProvinceName" */ + 660, /* "streetAddress" */ + 498, /* "subtreeMaximumQuality" */ diff -up openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1d/crypto/objects/objects.txt ---- openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf 2019-11-13 12:11:34.707656215 +0100 -+++ openssl-1.1.1d/crypto/objects/objects.txt 2019-11-13 12:11:34.731655787 +0100 -@@ -1603,6 +1603,12 @@ secg-scheme 14 3 : dhSinglePass-cofactor +--- openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf 2019-11-14 15:07:05.322094485 +0100 ++++ openssl-1.1.1d/crypto/objects/objects.txt 2019-11-14 15:07:05.345094076 +0100 +@@ -1603,6 +1603,15 @@ secg-scheme 14 3 : dhSinglePass-cofactor # NID for SSHKDF : SSHKDF : sshkdf @@ -1176,22 +1470,26 @@ diff -up openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1d/crypt + +# NID for KRB5KDF + : KRB5KDF : krb5kdf ++ ++# NID for SSKDF ++ : SSKDF : sskdf + # RFC 4556 1 3 6 1 5 2 3 : id-pkinit id-pkinit 4 : pkInitClientAuth : PKINIT Client Auth diff -up openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1d/crypto/objects/obj_mac.num ---- openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf 2019-11-13 12:11:34.707656215 +0100 -+++ openssl-1.1.1d/crypto/objects/obj_mac.num 2019-11-13 12:11:34.732655769 +0100 -@@ -1193,3 +1193,5 @@ magma_mac 1192 +--- openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf 2019-11-14 15:07:05.322094485 +0100 ++++ openssl-1.1.1d/crypto/objects/obj_mac.num 2019-11-14 15:07:05.346094058 +0100 +@@ -1193,3 +1193,6 @@ magma_mac 1192 hmacWithSHA512_224 1193 hmacWithSHA512_256 1194 sshkdf 1195 +kbkdf 1196 +krb5kdf 1197 ++sskdf 1198 diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod ---- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-13 12:11:34.698656375 +0100 -+++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-11-13 12:11:34.732655769 +0100 +--- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-14 15:07:05.314094628 +0100 ++++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-11-14 15:07:05.346094058 +0100 @@ -140,7 +140,14 @@ The value string is expected to be a dec This control expects one argument: C @@ -1209,8 +1507,8 @@ diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1d/doc/man EVP_KDF_ctrl_str() type string: "md" diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod ---- openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-13 12:11:34.732655769 +0100 -+++ openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod 2019-11-13 12:11:34.732655769 +0100 +--- openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod 2019-11-14 15:07:05.346094058 +0100 @@ -0,0 +1,173 @@ +=pod + @@ -1386,8 +1684,8 @@ diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7 + +=cut diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod ---- openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf 2019-11-13 12:11:34.732655769 +0100 -+++ openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod 2019-11-13 12:11:34.732655769 +0100 +--- openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod 2019-11-14 15:07:05.346094058 +0100 @@ -0,0 +1,107 @@ +=pod + @@ -1496,9 +1794,159 @@ diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1d/doc + +=cut + +diff -up openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod +--- openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100 ++++ openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod 2019-11-14 15:07:05.346094058 +0100 +@@ -0,0 +1,146 @@ ++=pod ++ ++=head1 NAME ++ ++EVP_KDF_SS - The Single Step / One Step EVP_KDF implementation ++ ++=head1 DESCRIPTION ++ ++The EVP_KDF_SS algorithm implements the Single Step key derivation function (SSKDF). ++SSKDF derives a key using input such as a shared secret key (that was generated ++during the execution of a key establishment scheme) and fixedinfo. ++SSKDF is also informally referred to as 'Concat KDF'. ++ ++=head2 Auxilary function ++ ++The implementation uses a selectable auxiliary function H, which can be in the ++backported version only a: ++ ++=over 4 ++ ++=item B ++ ++=back ++ ++=head2 Numeric identity ++ ++B is the numeric identity for this implementation; it ++can be used with the EVP_KDF_CTX_new_id() function. ++ ++=head2 Supported controls ++ ++The supported controls are: ++ ++=over 4 ++ ++=item B ++ ++This control works as described in L. ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++The shared secret used for key derivation. This control sets the secret. ++ ++EVP_KDF_ctrl_str() takes two type strings for this control: ++ ++=over 4 ++ ++=item "secret" ++ ++The value string is used as is. ++ ++=item "hexsecret" ++ ++The value string is expected to be a hexadecimal number, which will be ++decoded before being passed on as the control value. ++ ++=back ++ ++=item B ++ ++This control expects two arguments: C, C ++ ++An optional value for fixedinfo, also known as otherinfo. This control sets the fixedinfo. ++ ++EVP_KDF_ctrl_str() takes two type strings for this control: ++ ++=over 4 ++ ++=item "info" ++ ++The value string is used as is. ++ ++=item "hexinfo" ++ ++The value string is expected to be a hexadecimal number, which will be ++decoded before being passed on as the control value. ++ ++=back ++ ++=back ++ ++=head1 NOTES ++ ++A context for SSKDF can be obtained by calling: ++ ++EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS); ++ ++The output length of an SSKDF is specified via the C ++parameter to the L function. ++ ++=head1 EXAMPLE ++ ++This example derives 10 bytes using H(x) = SHA-256, with the secret key "secret" ++and fixedinfo value "label": ++ ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS); ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ error("EVP_KDF_CTRL_SET_MD"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) { ++ error("EVP_KDF_CTRL_SET_KEY"); ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, "label", (size_t)5) <= 0) { ++ error("EVP_KDF_CTRL_SET_SSKDF_INFO"); ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ error("EVP_KDF_derive"); ++ } ++ ++ EVP_KDF_CTX_free(kctx); ++ ++=head1 CONFORMING TO ++ ++NIST SP800-56Cr1. ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 HISTORY ++ ++This functionality was added to OpenSSL 3.0.0. ++ ++=head1 COPYRIGHT ++ ++Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. Copyright ++(c) 2019, Oracle and/or its affiliates. All rights reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include/openssl/kdferr.h ---- openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf 2019-11-13 12:11:34.708656197 +0100 -+++ openssl-1.1.1d/include/openssl/kdferr.h 2019-11-13 12:11:34.732655769 +0100 +--- openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100 ++++ openssl-1.1.1d/include/openssl/kdferr.h 2019-11-14 15:07:05.347094040 +0100 @@ -24,6 +24,11 @@ int ERR_load_KDF_strings(void); * KDF function codes. */ @@ -1520,7 +1968,15 @@ diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include # define KDF_F_PBKDF2_SET_MEMBUF 128 # define KDF_F_PKEY_HKDF_CTRL_STR 103 # define KDF_F_PKEY_HKDF_DERIVE 102 -@@ -61,7 +68,13 @@ int ERR_load_KDF_strings(void); +@@ -56,12 +63,21 @@ int ERR_load_KDF_strings(void); + # define KDF_F_PKEY_TLS1_PRF_DERIVE 101 + # define KDF_F_PKEY_TLS1_PRF_INIT 110 + # define KDF_F_SCRYPT_SET_MEMBUF 129 ++# define KDF_F_SSKDF_DERIVE 141 ++# define KDF_F_SSKDF_NEW 142 ++# define KDF_F_SSKDF_SIZE 143 + # define KDF_F_TLS1_PRF_ALG 111 + /* * KDF reason codes. */ @@ -1534,7 +1990,7 @@ diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include # define KDF_R_MISSING_ITERATION_COUNT 109 # define KDF_R_MISSING_KEY 104 # define KDF_R_MISSING_MESSAGE_DIGEST 105 -@@ -76,6 +89,7 @@ int ERR_load_KDF_strings(void); +@@ -76,6 +92,7 @@ int ERR_load_KDF_strings(void); # define KDF_R_UNKNOWN_PARAMETER_TYPE 103 # define KDF_R_VALUE_ERROR 108 # define KDF_R_VALUE_MISSING 102 @@ -1543,18 +1999,19 @@ diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include #endif diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/openssl/kdf.h ---- openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf 2019-11-13 12:11:34.708656197 +0100 -+++ openssl-1.1.1d/include/openssl/kdf.h 2019-11-13 12:11:34.733655752 +0100 -@@ -21,6 +21,8 @@ extern "C" { +--- openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100 ++++ openssl-1.1.1d/include/openssl/kdf.h 2019-11-14 15:07:05.347094040 +0100 +@@ -21,6 +21,9 @@ extern "C" { # define EVP_KDF_TLS1_PRF NID_tls1_prf # define EVP_KDF_HKDF NID_hkdf # define EVP_KDF_SSHKDF NID_sshkdf +# define EVP_KDF_KB NID_kbkdf +# define EVP_KDF_KRB5KDF NID_krb5kdf ++# define EVP_KDF_SS NID_sskdf EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id); void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); -@@ -51,6 +53,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns +@@ -51,6 +54,13 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns # define EVP_KDF_CTRL_SET_SSHKDF_XCGHASH 0x10 /* unsigned char *, size_t */ # define EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID 0x11 /* unsigned char *, size_t */ # define EVP_KDF_CTRL_SET_SSHKDF_TYPE 0x12 /* int */ @@ -1564,10 +2021,11 @@ diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/op +# define EVP_KDF_CTRL_SET_KB_INFO 0x16 /* unsigned char *, size_t */ +# define EVP_KDF_CTRL_SET_KB_SEED 0x17 /* unsigned char *, size_t */ +# define EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT 0x18 /* unsigned char *, size_t */ ++# define EVP_KDF_CTRL_SET_SSKDF_INFO 0x19 /* unsigned char *, size_t */ # define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0 # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 -@@ -63,6 +71,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns +@@ -63,6 +73,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69 #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70 @@ -1581,9 +2039,9 @@ diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/op # define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL) diff -up openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1d/include/openssl/obj_mac.h ---- openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf 2019-11-13 12:11:34.708656197 +0100 -+++ openssl-1.1.1d/include/openssl/obj_mac.h 2019-11-13 12:11:34.733655752 +0100 -@@ -4974,6 +4974,14 @@ +--- openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100 ++++ openssl-1.1.1d/include/openssl/obj_mac.h 2019-11-14 15:07:05.347094040 +0100 +@@ -4974,6 +4974,18 @@ #define LN_sshkdf "sshkdf" #define NID_sshkdf 1203 @@ -1594,14 +2052,18 @@ diff -up openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1d/includ +#define SN_krb5kdf "KRB5KDF" +#define LN_krb5kdf "krb5kdf" +#define NID_krb5kdf 1205 ++ ++#define SN_sskdf "SSKDF" ++#define LN_sskdf "sskdf" ++#define NID_sskdf 1206 + #define SN_id_pkinit "id-pkinit" #define NID_id_pkinit 1031 #define OBJ_id_pkinit 1L,3L,6L,1L,5L,2L,3L diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf_test.c ---- openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf 2019-11-13 12:11:34.700656339 +0100 -+++ openssl-1.1.1d/test/evp_kdf_test.c 2019-11-13 12:28:33.933507568 +0100 -@@ -225,13 +225,311 @@ err: +--- openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf 2019-11-14 15:07:05.315094610 +0100 ++++ openssl-1.1.1d/test/evp_kdf_test.c 2019-11-14 15:07:05.348094022 +0100 +@@ -225,13 +225,358 @@ err: } #endif @@ -1897,6 +2359,52 @@ diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf + return ret; +} + ++static int test_kdf_ss_hash(void) ++{ ++ EVP_KDF_CTX *kctx; ++ const unsigned char z[] = { ++ 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e, ++ 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62, ++ 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4, ++ 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9 ++ }; ++ const unsigned char other[] = { ++ 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e, ++ 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde, ++ 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e, ++ 0xe0,0xec,0x3f,0x8d,0xbe ++ }; ++ const unsigned char expected[] = { ++ 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8 ++ }; ++ unsigned char out[14]; ++ ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS); ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_MD"); ++ return 0; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_KEY"); ++ return 0; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other, ++ sizeof(other)) <= 0) { ++ TEST_error("EVP_KDF_CTRL_SET_SSKDF_INFO"); ++ return 0; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ TEST_error("EVP_KDF_derive"); ++ return 0; ++ } ++ ++ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) ++ return 0; ++ ++ EVP_KDF_CTX_free(kctx); ++ return 1; ++} + int setup_tests(void) { @@ -1911,12 +2419,13 @@ diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf ADD_TEST(test_kdf_scrypt); #endif + ADD_TEST(test_kdf_krb5kdf); ++ ADD_TEST(test_kdf_ss_hash); return 1; } diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt ---- openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf 2019-11-13 12:11:34.711656143 +0100 -+++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt 2019-11-13 13:24:12.927064479 +0100 -@@ -5286,3 +5286,123 @@ Ctrl.hexsession_id = hexsession_id:a4ebd +--- openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf 2019-11-14 15:07:05.327094396 +0100 ++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt 2019-11-14 15:07:05.349094005 +0100 +@@ -5286,3 +5286,559 @@ Ctrl.hexsession_id = hexsession_id:a4ebd Ctrl.type = type:A Output = FF Result = KDF_MISMATCH @@ -2040,3 +2549,439 @@ diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf openss +Ctrl.hexconstant = hexconstant:0000000155 +Output = 935079d14490a75c3093c4a6e8c3b049c71e6ee705 + ++#There are currently no official test vectors for Single Step KDF ++#https://github.com/patrickfav/singlestep-kdf/wiki/NIST-SP-800-56C-Rev1:-Non-Official-Test-Vectors ++Title = Single Step KDF tests ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:d09a6b1a472f930db4f5e6b967900744 ++Ctrl.hexinfo = hexinfo:b117255ab5f1b6b96fc434b0 ++Output = b5a3c52e97ae6e8c5069954354eab3c7 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:343666c0dd34b756e70f759f14c304f5 ++Ctrl.hexinfo = hexinfo:722b28448d7eab85491bce09 ++Output = 1003b650ddd3f0891a15166db5ec881d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:b84acf03ab08652dd7f82fa956933261 ++Ctrl.hexinfo = hexinfo:3d8773ec068c86053a918565 ++Output = 1635dcd1ce698f736831b4badb68ab2b ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:8cc24ca3f1d1a8b34783780b79890430 ++Ctrl.hexinfo = hexinfo:f08d4f2d9a8e6d7105c0bc16 ++Output = b8e716fb84a420aed4812cd76d9700ee ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:b616905a6f7562cd2689142ce21e42a3 ++Ctrl.hexinfo = hexinfo:ead310159a909da87e7b4b40 ++Output = 1b9201358c50fe5d5d42907c4a9fce78 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:3f57fd3fd56199b3eb33890f7ee28180 ++Ctrl.hexinfo = hexinfo:7a5056ba4fdb034c7cb6c4fe ++Output = e51ebd30a8c4b8449b0fb29d9adc11af ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:fb9fb108d104e9f662d6593fc84cde69 ++Ctrl.hexinfo = hexinfo:5faf29211c1bdbf1b2696a7c ++Output = 7a3a7e670656e48c390cdd7c51e167e0 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:237a39981794f4516dccffc3dda28396 ++Ctrl.hexinfo = hexinfo:62ed9528d104c241e0f66275 ++Output = 0c26fc9e90e1c5c5f943428301682045 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:b9b6c45f7279218fa09894e06366a3a1 ++Ctrl.hexinfo = hexinfo:0f384339670aaed4b89ecb7e ++Output = ee5fad414e32fad5d52a2bf61a7f6c72 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:08b7140e2cd0a4abd79171e4d5a71cad ++Ctrl.hexinfo = hexinfo:099211f0d8a2e02dbb5958c0 ++Output = 6162f5142e057efafd2c4f2bad5985a1 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a2 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f4853 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759a ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac704 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbe ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf1050 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f3 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8b ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f22 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f227688 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abf ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d480d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 ++Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b ++Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d480d9192 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:d7e6 ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 31e798e9931b612a3ad1b9b1008faa8c ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:4646779d ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 139f68bcca879b490e268e569087d04d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:d9811c81d4c6 ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 914dc4f09cb633a76e6c389e04c64485 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:8838f9d99ec46f09 ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 4f07dfb6f7a5bf348689e08b2e29c948 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:3e0939b33f34e779f30e ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = b42c7a98c23be19d1187ff960e87557f ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:f36230cacca4d245d303058c ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 50f2068d8010d355d56c5e34aaffbc67 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:7005d32c3d4284c73c3aefc70438 ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 66fd712ccf5462bbd41e89041ea7ea26 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:c01c83150b7734f8dbd6efd6f54d7365 ++Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff ++Output = 5c5edb0ceda9cd0c7f1f3d9e239c67d5 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:9949 ++Output = 33c83f54ed00fb1bccd2113e88550941 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:17144da6 ++Output = a999c28961424cab35ec06015e8c376a ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:dffdee1062eb ++Output = 4101ad50e626ed6f957bff926dfbb7db ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:9f365043e23b4648 ++Output = 4d3e4b971b88771f229df9f564984832 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:a885a0c4567ddc4f96da ++Output = bebbc30f5a83df5e9c9b57db33c0c879 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:c9d86183295bfe4c3d85f0fd ++Output = 87c947e45407db63eb94cbaa02d14e94 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:825fadce46964236a486732c5dad ++Output = 192370a85ff78e3c0245129d9b398558 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 ++Ctrl.hexinfo = hexinfo:5c0b5eb3ac9f342347d73d7a521723aa ++Output = c7b7634fd809383e87c4b1b3e728be56 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:8d7a4e7d5cf34b3f74873b862aeb33b7 ++Output = 6a5594f402f74f69 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:9b208e7ee1e641fac1dff48fc1beb2d2 ++Output = 556ed67e24ac0c7c46cc432da8bdb23c ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:4d2572539fed433211da28c8a0eebac3 ++Output = 5a4054c59c5b92814025578f43c1b79fe84968fc284e240b ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:4e1e70c9886819a31bc29a537911add9 ++Output = ddbfc440449aab4131c6d8aec08ce1496f2702241d0e27cc155c5c7c3cda75b5 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:68f144c952528e540c686dc353b766f2 ++Output = 59ed66bb6f54a9688a0b891d0b2ea6743621d9e1b5cc098cf3a55e6f864f9af8a95e4d945d2f987f ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:b66c9d507c9f837fbe60b6675fdbf38b ++Output = c282787ddf421a72fc88811be81b08d0d6ab66c92d1011974aa58335a6bbbd62e9e982bfae5929865ea1d517247089d2 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:34e730b49e46c7ed2fb25975a4cccd2d ++Output = 39e76e6571cb00740260b9070accbdcc4a492c295cbef33d9e37dac21e5e9d07e0f12dc7063d2172641475d4e08b8e3712fb26a10c8376b8 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:e340d87e2d7adbc1b95ec2dbdc3b82be ++Output = a660c0037a53f76f1e7667043f5869348ad07ac0e272e615ce31f16d4ab90d4b35fe5c370c0010ce79aff45682c6fb8b97f9a05b7d40b5af3c62999a10df9c6d ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA256 ++Ctrl.hexsecret = hexsecret:afc4e154498d4770aa8365f6903dc83b ++Ctrl.hexinfo = hexinfo:662af20379b29d5ef813e655 ++Output = f0b80d6ae4c1e19e2105a37024e35dc6 ++ ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA512 ++Ctrl.hexsecret = hexsecret:108cf63318555c787fa578731dd4f037 ++Ctrl.hexinfo = hexinfo:53191b1dd3f94d83084d61d6 ++Output = 0ad475c1826da3007637970c8b92b993 ++ ++Title = SSKDF Test vectors from RFC 8636 Section 8 (With precoumputed ASN.1 info) ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA1 ++Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ++Ctrl.hexinfo = hexinfo:307e300a06082b06010502030601a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020112a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb ++Output = e6ab38c9413e035bb079201ed0b6b73d8d49a814a737c04ee6649614206f73ad ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA256 ++Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ++Ctrl.hexinfo = hexinfo:307e300a06082b06010502030602a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020112a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb ++Output = 77ef4e48c420ae3fec75109d7981697eed5d295c90c62564f7bfd101fa9bc1d5 ++ ++KDF = SSKDF ++Ctrl.digest = digest:SHA512 ++Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ++Ctrl.hexinfo = hexinfo:307e300a06082b06010502030603a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020110a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb ++Output = d3c78b78d75313e9a926f75dfb012363fa17fa01db diff --git a/openssl.spec b/openssl.spec index 21f9700..ad32820 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1d -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -458,6 +458,9 @@ export LD_LIBRARY_PATH %ldconfig_scriptlets libs %changelog +* Thu Nov 14 2019 Tomáš Mráz 1.1.1d-4 +- backport of SSKDF from master + * Wed Nov 13 2019 Tomáš Mráz 1.1.1d-3 - backport of KBKDF and KRB5KDF from master