Compare commits
4 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
264133c642 | ||
|
c03027ac74 | ||
|
75daf4be4b | ||
|
7781d50308 |
11
.gitignore
vendored
11
.gitignore
vendored
@ -38,14 +38,3 @@ openssl-1.0.0a-usa.tar.bz2
|
|||||||
/openssl-1.1.0f-hobbled.tar.xz
|
/openssl-1.1.0f-hobbled.tar.xz
|
||||||
/openssl-1.1.0g-hobbled.tar.xz
|
/openssl-1.1.0g-hobbled.tar.xz
|
||||||
/openssl-1.1.0h-hobbled.tar.xz
|
/openssl-1.1.0h-hobbled.tar.xz
|
||||||
/openssl-1.1.1-pre8-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1-pre9-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1a-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1b-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1c-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1d-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1e-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1f-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1g-hobbled.tar.xz
|
|
||||||
/openssl-1.1.1h-hobbled.tar.xz
|
|
||||||
|
139
ec_curve.c
139
ec_curve.c
@ -1,6 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
|
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
|
||||||
*
|
*
|
||||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||||
* this file except in compliance with the License. You can obtain a copy
|
* this file except in compliance with the License. You can obtain a copy
|
||||||
@ -8,12 +7,26 @@
|
|||||||
* https://www.openssl.org/source/license.html
|
* https://www.openssl.org/source/license.html
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
/* ====================================================================
|
||||||
|
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
|
||||||
|
*
|
||||||
|
* Portions of the attached software ("Contribution") are developed by
|
||||||
|
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
|
||||||
|
*
|
||||||
|
* The Contribution is licensed pursuant to the OpenSSL open source
|
||||||
|
* license provided above.
|
||||||
|
*
|
||||||
|
* The elliptic curve binary polynomial software is originally written by
|
||||||
|
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include "ec_local.h"
|
#include "ec_lcl.h"
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#include <openssl/obj_mac.h>
|
#include <openssl/obj_mac.h>
|
||||||
#include <openssl/opensslconf.h>
|
#include <openssl/opensslconf.h>
|
||||||
#include "internal/nelem.h"
|
#include "e_os.h"
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
int field_type, /* either NID_X9_62_prime_field or
|
int field_type, /* either NID_X9_62_prime_field or
|
||||||
@ -337,8 +350,6 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
EC_GROUP_set_curve_name(group, curve.nid);
|
|
||||||
|
|
||||||
if ((P = EC_POINT_new(group)) == NULL) {
|
if ((P = EC_POINT_new(group)) == NULL) {
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
goto err;
|
goto err;
|
||||||
@ -349,7 +360,7 @@ static EC_GROUP *ec_group_new_from_data(const ec_list_element curve)
|
|||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB);
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) {
|
if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) {
|
||||||
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB);
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
@ -404,6 +415,8 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int nid)
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
EC_GROUP_set_curve_name(ret, nid);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -468,115 +481,3 @@ int EC_curve_nist2nid(const char *name)
|
|||||||
}
|
}
|
||||||
return NID_undef;
|
return NID_undef;
|
||||||
}
|
}
|
||||||
|
|
||||||
#define NUM_BN_FIELDS 6
|
|
||||||
/*
|
|
||||||
* Validates EC domain parameter data for known named curves.
|
|
||||||
* This can be used when a curve is loaded explicitly (without a curve
|
|
||||||
* name) or to validate that domain parameters have not been modified.
|
|
||||||
*
|
|
||||||
* Returns: The nid associated with the found named curve, or NID_undef
|
|
||||||
* if not found. If there was an error it returns -1.
|
|
||||||
*/
|
|
||||||
int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx)
|
|
||||||
{
|
|
||||||
int ret = -1, nid, len, field_type, param_len;
|
|
||||||
size_t i, seed_len;
|
|
||||||
const unsigned char *seed, *params_seed, *params;
|
|
||||||
unsigned char *param_bytes = NULL;
|
|
||||||
const EC_CURVE_DATA *data;
|
|
||||||
const EC_POINT *generator = NULL;
|
|
||||||
const EC_METHOD *meth;
|
|
||||||
const BIGNUM *cofactor = NULL;
|
|
||||||
/* An array of BIGNUMs for (p, a, b, x, y, order) */
|
|
||||||
BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL};
|
|
||||||
|
|
||||||
meth = EC_GROUP_method_of(group);
|
|
||||||
if (meth == NULL)
|
|
||||||
return -1;
|
|
||||||
/* Use the optional named curve nid as a search field */
|
|
||||||
nid = EC_GROUP_get_curve_name(group);
|
|
||||||
field_type = EC_METHOD_get_field_type(meth);
|
|
||||||
seed_len = EC_GROUP_get_seed_len(group);
|
|
||||||
seed = EC_GROUP_get0_seed(group);
|
|
||||||
cofactor = EC_GROUP_get0_cofactor(group);
|
|
||||||
|
|
||||||
BN_CTX_start(ctx);
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The built-in curves contains data fields (p, a, b, x, y, order) that are
|
|
||||||
* all zero-padded to be the same size. The size of the padding is
|
|
||||||
* determined by either the number of bytes in the field modulus (p) or the
|
|
||||||
* EC group order, whichever is larger.
|
|
||||||
*/
|
|
||||||
param_len = BN_num_bytes(group->order);
|
|
||||||
len = BN_num_bytes(group->field);
|
|
||||||
if (len > param_len)
|
|
||||||
param_len = len;
|
|
||||||
|
|
||||||
/* Allocate space to store the padded data for (p, a, b, x, y, order) */
|
|
||||||
param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS);
|
|
||||||
if (param_bytes == NULL)
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
/* Create the bignums */
|
|
||||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
|
||||||
if ((bn[i] = BN_CTX_get(ctx)) == NULL)
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
/*
|
|
||||||
* Fill in the bn array with the same values as the internal curves
|
|
||||||
* i.e. the values are p, a, b, x, y, order.
|
|
||||||
*/
|
|
||||||
/* Get p, a & b */
|
|
||||||
if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx)
|
|
||||||
&& ((generator = EC_GROUP_get0_generator(group)) != NULL)
|
|
||||||
/* Get x & y */
|
|
||||||
&& EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx)
|
|
||||||
/* Get order */
|
|
||||||
&& EC_GROUP_get_order(group, bn[5], ctx)))
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Convert the bignum array to bytes that are joined together to form
|
|
||||||
* a single buffer that contains data for all fields.
|
|
||||||
* (p, a, b, x, y, order) are all zero padded to be the same size.
|
|
||||||
*/
|
|
||||||
for (i = 0; i < NUM_BN_FIELDS; ++i) {
|
|
||||||
if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0)
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < curve_list_length; i++) {
|
|
||||||
const ec_list_element curve = curve_list[i];
|
|
||||||
|
|
||||||
data = curve.data;
|
|
||||||
/* Get the raw order byte data */
|
|
||||||
params_seed = (const unsigned char *)(data + 1); /* skip header */
|
|
||||||
params = params_seed + data->seed_len;
|
|
||||||
|
|
||||||
/* Look for unique fields in the fixed curve data */
|
|
||||||
if (data->field_type == field_type
|
|
||||||
&& param_len == data->param_len
|
|
||||||
&& (nid <= 0 || nid == curve.nid)
|
|
||||||
/* check the optional cofactor (ignore if its zero) */
|
|
||||||
&& (BN_is_zero(cofactor)
|
|
||||||
|| BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor))
|
|
||||||
/* Check the optional seed (ignore if its not set) */
|
|
||||||
&& (data->seed_len == 0 || seed_len == 0
|
|
||||||
|| ((size_t)data->seed_len == seed_len
|
|
||||||
&& memcmp(params_seed, seed, seed_len) == 0))
|
|
||||||
/* Check that the groups params match the built-in curve params */
|
|
||||||
&& memcmp(param_bytes, params, param_len * NUM_BN_FIELDS)
|
|
||||||
== 0) {
|
|
||||||
ret = curve.nid;
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
/* Gets here if the group was not found */
|
|
||||||
ret = NID_undef;
|
|
||||||
end:
|
|
||||||
OPENSSL_free(param_bytes);
|
|
||||||
BN_CTX_end(ctx);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
48
openssl-1.1.0-algo-doc.patch
Normal file
48
openssl-1.1.0-algo-doc.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
diff -up openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod.algo-doc openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod
|
||||||
|
--- openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod.algo-doc 2017-01-26 15:49:18.784947229 +0100
|
||||||
|
+++ openssl-1.1.0d/doc/crypto/EVP_DigestInit.pod 2017-01-26 15:52:46.458556068 +0100
|
||||||
|
@@ -152,7 +152,7 @@ corresponding OBJECT IDENTIFIER or NID_u
|
||||||
|
EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
|
||||||
|
EVP_MD_CTX_block_size() return the digest or block size in bytes.
|
||||||
|
|
||||||
|
-EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha1(),
|
||||||
|
+EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha1(), EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(),
|
||||||
|
EVP_mdc2(), EVP_ripemd160(), EVP_blake2b512(), and EVP_blake2s256() return
|
||||||
|
pointers to the corresponding EVP_MD structures.
|
||||||
|
|
||||||
|
diff -up openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod.algo-doc openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod
|
||||||
|
--- openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod.algo-doc 2017-01-26 14:10:24.000000000 +0100
|
||||||
|
+++ openssl-1.1.0d/doc/crypto/EVP_EncryptInit.pod 2017-01-26 15:49:18.784947229 +0100
|
||||||
|
@@ -108,6 +108,32 @@ EVP_chacha20, EVP_chacha20_poly1305 - EV
|
||||||
|
int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
||||||
|
int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
|
||||||
|
|
||||||
|
+ const EVP_CIPHER *EVP_des_ede3(void);
|
||||||
|
+ const EVP_CIPHER *EVP_des_ede3_ecb(void);
|
||||||
|
+ const EVP_CIPHER *EVP_des_ede3_cfb64(void);
|
||||||
|
+ const EVP_CIPHER *EVP_des_ede3_cfb1(void);
|
||||||
|
+ const EVP_CIPHER *EVP_des_ede3_cfb8(void);
|
||||||
|
+ const EVP_CIPHER *EVP_des_ede3_ofb(void);
|
||||||
|
+ const EVP_CIPHER *EVP_des_ede3_cbc(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_128_ecb(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_128_cbc(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_128_cfb1(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_128_cfb8(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_128_cfb128(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_128_ofb(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_192_ecb(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_192_cbc(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_192_cfb1(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_192_cfb8(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_192_cfb128(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_192_ofb(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_256_ecb(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_256_cbc(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_256_cfb1(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_256_cfb8(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_256_cfb128(void);
|
||||||
|
+ const EVP_CIPHER *EVP_aes_256_ofb(void);
|
||||||
|
+
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
The EVP cipher routines are a high level interface to certain
|
@ -1,12 +1,12 @@
|
|||||||
diff -up openssl-1.1.1b/apps/ca.c.dgst openssl-1.1.1b/apps/ca.c
|
diff -up openssl-1.1.0-pre5/apps/ca.c.dgst openssl-1.1.0-pre5/apps/ca.c
|
||||||
--- openssl-1.1.1b/apps/ca.c.dgst 2019-02-26 15:15:30.000000000 +0100
|
--- openssl-1.1.0-pre5/apps/ca.c.dgst 2016-04-19 16:57:52.000000000 +0200
|
||||||
+++ openssl-1.1.1b/apps/ca.c 2019-03-15 15:53:46.622267688 +0100
|
+++ openssl-1.1.0-pre5/apps/ca.c 2016-07-18 15:58:18.516742682 +0200
|
||||||
@@ -169,7 +169,7 @@ const OPTIONS ca_options[] = {
|
@@ -216,7 +216,7 @@ OPTIONS ca_options[] = {
|
||||||
{"enddate", OPT_ENDDATE, 's',
|
{"enddate", OPT_ENDDATE, 's',
|
||||||
"YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
|
"YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
|
||||||
{"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
|
{"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
|
||||||
- {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
|
- {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
|
||||||
+ {"md", OPT_MD, 's', "md to use; see openssl help for list"},
|
+ {"md", OPT_MD, 's', "md to use; see openssl dgst -h for list"},
|
||||||
{"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
|
{"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
|
||||||
{"keyfile", OPT_KEYFILE, 's', "Private key"},
|
{"keyfile", OPT_KEYFILE, 's', "Private key"},
|
||||||
{"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
|
{"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
|
29
openssl-1.1.0-bio-fd-preserve-nl.patch
Normal file
29
openssl-1.1.0-bio-fd-preserve-nl.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
diff -up openssl-1.1.0c/crypto/bio/bss_fd.c.preserve-nl openssl-1.1.0c/crypto/bio/bss_fd.c
|
||||||
|
--- openssl-1.1.0c/crypto/bio/bss_fd.c.preserve-nl 2016-11-10 15:03:44.000000000 +0100
|
||||||
|
+++ openssl-1.1.0c/crypto/bio/bss_fd.c 2016-12-22 14:36:16.730740423 +0100
|
||||||
|
@@ -202,8 +202,10 @@ static int fd_gets(BIO *bp, char *buf, i
|
||||||
|
char *ptr = buf;
|
||||||
|
char *end = buf + size - 1;
|
||||||
|
|
||||||
|
- while ((ptr < end) && (fd_read(bp, ptr, 1) > 0) && (ptr[0] != '\n'))
|
||||||
|
- ptr++;
|
||||||
|
+ while (ptr < end && fd_read(bp, ptr, 1) > 0) {
|
||||||
|
+ if (*ptr++ == '\n')
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
ptr[0] = '\0';
|
||||||
|
|
||||||
|
diff -up openssl-1.1.0c/doc/crypto/BIO_read.pod.preserve-nl openssl-1.1.0c/doc/crypto/BIO_read.pod
|
||||||
|
--- openssl-1.1.0c/doc/crypto/BIO_read.pod.preserve-nl 2016-11-10 15:03:45.000000000 +0100
|
||||||
|
+++ openssl-1.1.0c/doc/crypto/BIO_read.pod 2016-12-22 14:37:22.731245197 +0100
|
||||||
|
@@ -23,7 +23,8 @@ in B<buf>. Usually this operation will a
|
||||||
|
from the BIO of maximum length B<len-1>. There are exceptions to this,
|
||||||
|
however; for example, BIO_gets() on a digest BIO will calculate and
|
||||||
|
return the digest and other BIOs may not support BIO_gets() at all.
|
||||||
|
-The returned string is always NUL-terminated.
|
||||||
|
+The returned string is always NUL-terminated and the '\n' is preserved
|
||||||
|
+if present in the input data.
|
||||||
|
|
||||||
|
BIO_write() attempts to write B<len> bytes from B<buf> to BIO B<b>.
|
||||||
|
|
73
openssl-1.1.0-build.patch
Normal file
73
openssl-1.1.0-build.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
diff -up openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build openssl-1.1.0f/Configurations/unix-Makefile.tmpl
|
||||||
|
--- openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build 2017-06-02 13:51:39.621289504 +0200
|
||||||
|
+++ openssl-1.1.0f/Configurations/unix-Makefile.tmpl 2017-06-02 13:54:45.298654812 +0200
|
||||||
|
@@ -553,7 +553,7 @@ uninstall_runtime:
|
||||||
|
install_man_docs:
|
||||||
|
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||||
|
@echo "*** Installing manpages"
|
||||||
|
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||||
|
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||||
|
--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
|
||||||
|
|
||||||
|
uninstall_man_docs:
|
||||||
|
@@ -565,7 +565,7 @@ uninstall_man_docs:
|
||||||
|
install_html_docs:
|
||||||
|
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||||
|
@echo "*** Installing HTML manpages"
|
||||||
|
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||||
|
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||||
|
--destdir=$(DESTDIR)$(HTMLDIR) --type=html
|
||||||
|
|
||||||
|
uninstall_html_docs:
|
||||||
|
diff -up openssl-1.1.0f/Configurations/10-main.conf.build openssl-1.1.0f/Configurations/10-main.conf
|
||||||
|
--- openssl-1.1.0f/Configurations/10-main.conf.build 2017-05-25 14:46:17.000000000 +0200
|
||||||
|
+++ openssl-1.1.0f/Configurations/10-main.conf 2017-06-02 13:51:39.622289528 +0200
|
||||||
|
@@ -662,6 +662,7 @@ sub vms_info {
|
||||||
|
cflags => add("-m64 -DL_ENDIAN"),
|
||||||
|
perlasm_scheme => "linux64le",
|
||||||
|
shared_ldflag => add("-m64"),
|
||||||
|
+ multilib => "64",
|
||||||
|
},
|
||||||
|
|
||||||
|
"linux-armv4" => {
|
||||||
|
@@ -702,6 +703,7 @@ sub vms_info {
|
||||||
|
"linux-aarch64" => {
|
||||||
|
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
|
||||||
|
perlasm_scheme => "linux64",
|
||||||
|
+ multilib => "64",
|
||||||
|
},
|
||||||
|
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||||
|
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
|
||||||
|
diff -up openssl-1.1.0g/test/evptests.txt.build openssl-1.1.0g/test/evptests.txt
|
||||||
|
--- openssl-1.1.0g/test/evptests.txt.build 2017-11-02 15:29:05.000000000 +0100
|
||||||
|
+++ openssl-1.1.0g/test/evptests.txt 2017-11-03 16:37:01.253671494 +0100
|
||||||
|
@@ -3707,14 +3707,6 @@ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+D
|
||||||
|
|
||||||
|
PrivPubKeyPair = Bob-25519:Bob-25519-PUBLIC
|
||||||
|
|
||||||
|
-Derive=Alice-25519
|
||||||
|
-PeerKey=Bob-25519-PUBLIC
|
||||||
|
-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||||
|
-
|
||||||
|
-Derive=Bob-25519
|
||||||
|
-PeerKey=Alice-25519-PUBLIC
|
||||||
|
-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||||
|
-
|
||||||
|
# Illegal sign/verify operations with X25519 key
|
||||||
|
|
||||||
|
Sign=Alice-25519
|
||||||
|
@@ -3727,6 +3719,14 @@ Result = KEYOP_INIT_ERROR
|
||||||
|
Function = EVP_PKEY_verify_init
|
||||||
|
Reason = operation not supported for this keytype
|
||||||
|
|
||||||
|
+Derive=Alice-25519
|
||||||
|
+PeerKey=Bob-25519-PUBLIC
|
||||||
|
+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||||
|
+
|
||||||
|
+Derive=Bob-25519
|
||||||
|
+PeerKey=Alice-25519-PUBLIC
|
||||||
|
+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||||
|
+
|
||||||
|
## ECDH Tests: test with randomly generated keys for all the listed curves
|
||||||
|
|
||||||
|
|
24
openssl-1.1.0-ca-dir.patch
Normal file
24
openssl-1.1.0-ca-dir.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
diff -up openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir openssl-1.1.0-pre5/apps/CA.pl.in
|
||||||
|
--- openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir 2016-07-18 15:19:40.118110405 +0200
|
||||||
|
+++ openssl-1.1.0-pre5/apps/CA.pl.in 2016-07-18 15:21:06.531061337 +0200
|
||||||
|
@@ -26,7 +26,7 @@ my $X509 = "$openssl x509";
|
||||||
|
my $PKCS12 = "$openssl pkcs12";
|
||||||
|
|
||||||
|
# default openssl.cnf file has setup as per the following
|
||||||
|
-my $CATOP = "./demoCA";
|
||||||
|
+my $CATOP = "/etc/pki/CA";
|
||||||
|
my $CAKEY = "cakey.pem";
|
||||||
|
my $CAREQ = "careq.pem";
|
||||||
|
my $CACERT = "cacert.pem";
|
||||||
|
diff -up openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir openssl-1.1.0-pre5/apps/openssl.cnf
|
||||||
|
--- openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir 2016-07-18 15:19:40.114110315 +0200
|
||||||
|
+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 15:19:48.492299467 +0200
|
||||||
|
@@ -39,7 +39,7 @@ default_ca = CA_default # The default c
|
||||||
|
####################################################################
|
||||||
|
[ CA_default ]
|
||||||
|
|
||||||
|
-dir = ./demoCA # Where everything is kept
|
||||||
|
+dir = /etc/pki/CA # Where everything is kept
|
||||||
|
certs = $dir/certs # Where the issued certs are kept
|
||||||
|
crl_dir = $dir/crl # Where the issued crl are kept
|
||||||
|
database = $dir/index.txt # database index file.
|
27
openssl-1.1.0-cc-reqs.patch
Normal file
27
openssl-1.1.0-cc-reqs.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
diff -up openssl-1.1.0h/crypto/rsa/rsa_gen.c.cc-reqs openssl-1.1.0h/crypto/rsa/rsa_gen.c
|
||||||
|
--- openssl-1.1.0h/crypto/rsa/rsa_gen.c.cc-reqs 2018-03-27 15:50:39.000000000 +0200
|
||||||
|
+++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-03-29 14:37:53.405048562 +0200
|
||||||
|
@@ -86,6 +86,12 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||||
|
if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
+ /* prepare minimum p and q difference */
|
||||||
|
+ if (!BN_one(r3))
|
||||||
|
+ goto err;
|
||||||
|
+ if (bitsp > 100 && !BN_lshift(r3, r3, bitsp - 100))
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
if (BN_copy(rsa->e, e_value) == NULL)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
@@ -118,7 +124,9 @@ static int rsa_builtin_keygen(RSA *rsa,
|
||||||
|
do {
|
||||||
|
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
|
||||||
|
goto err;
|
||||||
|
- } while (BN_cmp(rsa->p, rsa->q) == 0);
|
||||||
|
+ if (!BN_sub(r2, rsa->q, rsa->p))
|
||||||
|
+ goto err;
|
||||||
|
+ } while (BN_ucmp(r2, r3) <= 0);
|
||||||
|
if (!BN_sub(r2, rsa->q, BN_value_one()))
|
||||||
|
goto err;
|
||||||
|
ERR_set_mark();
|
15
openssl-1.1.0-chil-fixes.patch
Normal file
15
openssl-1.1.0-chil-fixes.patch
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
diff -up openssl-1.1.0-pre6/engines/e_chil.c.chil openssl-1.1.0-pre6/engines/e_chil.c
|
||||||
|
--- openssl-1.1.0-pre6/engines/e_chil.c.chil 2016-08-04 16:00:47.000000000 +0200
|
||||||
|
+++ openssl-1.1.0-pre6/engines/e_chil.c 2016-08-05 16:50:13.860588775 +0200
|
||||||
|
@@ -1195,6 +1195,11 @@ static int hwcrhk_insert_card(const char
|
||||||
|
UI *ui;
|
||||||
|
void *callback_data = NULL;
|
||||||
|
UI_METHOD *ui_method = NULL;
|
||||||
|
+ /* Despite what the documentation says prompt_info can be
|
||||||
|
+ * an empty string.
|
||||||
|
+ */
|
||||||
|
+ if (prompt_info && !*prompt_info)
|
||||||
|
+ prompt_info = NULL;
|
||||||
|
|
||||||
|
if (cactx) {
|
||||||
|
if (cactx->ui_method)
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cnf
|
diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf
|
||||||
--- openssl-1.1.1a/apps/openssl.cnf.defaults 2018-11-20 14:35:37.000000000 +0100
|
--- openssl-1.1.0-pre5/apps/openssl.cnf.defaults 2016-04-19 16:57:52.000000000 +0200
|
||||||
+++ openssl-1.1.1a/apps/openssl.cnf 2019-01-15 13:56:50.841719776 +0100
|
+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 14:22:08.252691017 +0200
|
||||||
@@ -74,7 +74,7 @@ cert_opt = ca_default # Certificate fi
|
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
|
||||||
|
|
||||||
default_days = 365 # how long to certify for
|
default_days = 365 # how long to certify for
|
||||||
default_crl_days= 30 # how long before next CRL
|
default_crl_days= 30 # how long before next CRL
|
||||||
@ -10,7 +10,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn
|
|||||||
preserve = no # keep passed DN ordering
|
preserve = no # keep passed DN ordering
|
||||||
|
|
||||||
# A few difference way of specifying how similar the request should look
|
# A few difference way of specifying how similar the request should look
|
||||||
@@ -106,6 +106,7 @@ emailAddress = optional
|
@@ -104,6 +104,7 @@ emailAddress = optional
|
||||||
####################################################################
|
####################################################################
|
||||||
[ req ]
|
[ req ]
|
||||||
default_bits = 2048
|
default_bits = 2048
|
||||||
@ -18,7 +18,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn
|
|||||||
default_keyfile = privkey.pem
|
default_keyfile = privkey.pem
|
||||||
distinguished_name = req_distinguished_name
|
distinguished_name = req_distinguished_name
|
||||||
attributes = req_attributes
|
attributes = req_attributes
|
||||||
@@ -128,17 +129,18 @@ string_mask = utf8only
|
@@ -126,17 +127,18 @@ string_mask = utf8only
|
||||||
|
|
||||||
[ req_distinguished_name ]
|
[ req_distinguished_name ]
|
||||||
countryName = Country Name (2 letter code)
|
countryName = Country Name (2 letter code)
|
||||||
@ -40,7 +40,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn
|
|||||||
|
|
||||||
# we can do this but it is not needed normally :-)
|
# we can do this but it is not needed normally :-)
|
||||||
#1.organizationName = Second Organization Name (eg, company)
|
#1.organizationName = Second Organization Name (eg, company)
|
||||||
@@ -147,7 +149,7 @@ localityName = Locality Name (eg, city
|
@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
|
||||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||||
#organizationalUnitName_default =
|
#organizationalUnitName_default =
|
||||||
|
|
85
openssl-1.1.0-disable-ssl3.patch
Normal file
85
openssl-1.1.0-disable-ssl3.patch
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
diff -up openssl-1.1.0h/apps/s_client.c.disable-ssl3 openssl-1.1.0h/apps/s_client.c
|
||||||
|
--- openssl-1.1.0h/apps/s_client.c.disable-ssl3 2018-03-29 14:38:39.612133765 +0200
|
||||||
|
+++ openssl-1.1.0h/apps/s_client.c 2018-03-29 14:41:51.309635904 +0200
|
||||||
|
@@ -1489,6 +1489,9 @@ int s_client_main(int argc, char **argv)
|
||||||
|
if (!config_ctx(cctx, ssl_args, ctx))
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
||||||
|
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||||
|
+
|
||||||
|
if (ssl_config) {
|
||||||
|
if (SSL_CTX_config(ctx, ssl_config) == 0) {
|
||||||
|
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
|
||||||
|
diff -up openssl-1.1.0h/apps/s_server.c.disable-ssl3 openssl-1.1.0h/apps/s_server.c
|
||||||
|
--- openssl-1.1.0h/apps/s_server.c.disable-ssl3 2018-03-29 14:38:39.613133788 +0200
|
||||||
|
+++ openssl-1.1.0h/apps/s_server.c 2018-03-29 14:42:27.313481477 +0200
|
||||||
|
@@ -1619,6 +1619,9 @@ int s_server_main(int argc, char *argv[]
|
||||||
|
if (!config_ctx(cctx, ssl_args, ctx))
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
||||||
|
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||||
|
+
|
||||||
|
if (ssl_config) {
|
||||||
|
if (SSL_CTX_config(ctx, ssl_config) == 0) {
|
||||||
|
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
|
||||||
|
diff -up openssl-1.1.0h/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0h/ssl/ssl_lib.c
|
||||||
|
--- openssl-1.1.0h/ssl/ssl_lib.c.disable-ssl3 2018-03-27 15:50:40.000000000 +0200
|
||||||
|
+++ openssl-1.1.0h/ssl/ssl_lib.c 2018-03-29 14:38:39.614133811 +0200
|
||||||
|
@@ -2653,6 +2653,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||||
|
* or by using the SSL_CONF library.
|
||||||
|
*/
|
||||||
|
ret->options |= SSL_OP_NO_COMPRESSION;
|
||||||
|
+ /*
|
||||||
|
+ * Disable SSLv3 by default. Applications can
|
||||||
|
+ * re-enable it by configuring
|
||||||
|
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||||
|
+ * or by using the SSL_CONF library.
|
||||||
|
+ */
|
||||||
|
+ ret->options |= SSL_OP_NO_SSLv3;
|
||||||
|
|
||||||
|
ret->tlsext_status_type = -1;
|
||||||
|
|
||||||
|
diff -up openssl-1.1.0h/test/ssl_test.c.disable-ssl3 openssl-1.1.0h/test/ssl_test.c
|
||||||
|
--- openssl-1.1.0h/test/ssl_test.c.disable-ssl3 2018-03-29 14:38:39.615133835 +0200
|
||||||
|
+++ openssl-1.1.0h/test/ssl_test.c 2018-03-29 14:43:37.893139086 +0200
|
||||||
|
@@ -277,6 +277,7 @@ static int execute_test(SSL_TEST_FIXTURE
|
||||||
|
SSL_TEST_SERVERNAME_CB_NONE) {
|
||||||
|
server2_ctx = SSL_CTX_new(TLS_server_method());
|
||||||
|
TEST_check(server2_ctx != NULL);
|
||||||
|
+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
|
||||||
|
}
|
||||||
|
client_ctx = SSL_CTX_new(TLS_client_method());
|
||||||
|
TEST_check(SSL_CTX_set_max_proto_version(client_ctx, TLS_MAX_VERSION));
|
||||||
|
@@ -290,11 +291,15 @@ static int execute_test(SSL_TEST_FIXTURE
|
||||||
|
TLS_MAX_VERSION));
|
||||||
|
TEST_check(resume_server_ctx != NULL);
|
||||||
|
TEST_check(resume_client_ctx != NULL);
|
||||||
|
+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
|
||||||
|
+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_check(server_ctx != NULL);
|
||||||
|
TEST_check(client_ctx != NULL);
|
||||||
|
+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
|
||||||
|
+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
|
||||||
|
|
||||||
|
TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
|
||||||
|
|
||||||
|
diff -up openssl-1.1.0h/test/ssltest_old.c.disable-ssl3 openssl-1.1.0h/test/ssltest_old.c
|
||||||
|
--- openssl-1.1.0h/test/ssltest_old.c.disable-ssl3 2018-03-27 15:50:41.000000000 +0200
|
||||||
|
+++ openssl-1.1.0h/test/ssltest_old.c 2018-03-29 14:38:39.615133835 +0200
|
||||||
|
@@ -1460,6 +1460,11 @@ int main(int argc, char *argv[])
|
||||||
|
ERR_print_errors(bio_err);
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
|
||||||
|
+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
|
||||||
|
+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Since we will use low security ciphersuites and keys for testing set
|
||||||
|
* security level to zero by default. Tests can override this by adding
|
80
openssl-1.1.0-ec-curves.patch
Normal file
80
openssl-1.1.0-ec-curves.patch
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
diff -up openssl-1.1.0e/apps/speed.c.curves openssl-1.1.0e/apps/speed.c
|
||||||
|
--- openssl-1.1.0e/apps/speed.c.curves 2017-02-16 12:58:20.000000000 +0100
|
||||||
|
+++ openssl-1.1.0e/apps/speed.c 2017-02-16 15:46:22.271504354 +0100
|
||||||
|
@@ -536,42 +536,18 @@ static OPT_PAIR rsa_choices[] = {
|
||||||
|
#define R_EC_X25519 16
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
static OPT_PAIR ecdsa_choices[] = {
|
||||||
|
- {"ecdsap160", R_EC_P160},
|
||||||
|
- {"ecdsap192", R_EC_P192},
|
||||||
|
{"ecdsap224", R_EC_P224},
|
||||||
|
{"ecdsap256", R_EC_P256},
|
||||||
|
{"ecdsap384", R_EC_P384},
|
||||||
|
{"ecdsap521", R_EC_P521},
|
||||||
|
- {"ecdsak163", R_EC_K163},
|
||||||
|
- {"ecdsak233", R_EC_K233},
|
||||||
|
- {"ecdsak283", R_EC_K283},
|
||||||
|
- {"ecdsak409", R_EC_K409},
|
||||||
|
- {"ecdsak571", R_EC_K571},
|
||||||
|
- {"ecdsab163", R_EC_B163},
|
||||||
|
- {"ecdsab233", R_EC_B233},
|
||||||
|
- {"ecdsab283", R_EC_B283},
|
||||||
|
- {"ecdsab409", R_EC_B409},
|
||||||
|
- {"ecdsab571", R_EC_B571},
|
||||||
|
{NULL}
|
||||||
|
};
|
||||||
|
|
||||||
|
static OPT_PAIR ecdh_choices[] = {
|
||||||
|
- {"ecdhp160", R_EC_P160},
|
||||||
|
- {"ecdhp192", R_EC_P192},
|
||||||
|
{"ecdhp224", R_EC_P224},
|
||||||
|
{"ecdhp256", R_EC_P256},
|
||||||
|
{"ecdhp384", R_EC_P384},
|
||||||
|
{"ecdhp521", R_EC_P521},
|
||||||
|
- {"ecdhk163", R_EC_K163},
|
||||||
|
- {"ecdhk233", R_EC_K233},
|
||||||
|
- {"ecdhk283", R_EC_K283},
|
||||||
|
- {"ecdhk409", R_EC_K409},
|
||||||
|
- {"ecdhk571", R_EC_K571},
|
||||||
|
- {"ecdhb163", R_EC_B163},
|
||||||
|
- {"ecdhb233", R_EC_B233},
|
||||||
|
- {"ecdhb283", R_EC_B283},
|
||||||
|
- {"ecdhb409", R_EC_B409},
|
||||||
|
- {"ecdhb571", R_EC_B571},
|
||||||
|
{"ecdhx25519", R_EC_X25519},
|
||||||
|
{NULL}
|
||||||
|
};
|
||||||
|
diff -up openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves openssl-1.1.0e/crypto/ec/ecp_smpl.c
|
||||||
|
--- openssl-1.1.0e/crypto/ec/ecp_smpl.c.curves 2017-02-16 12:58:21.000000000 +0100
|
||||||
|
+++ openssl-1.1.0e/crypto/ec/ecp_smpl.c 2017-02-16 15:46:22.264504188 +0100
|
||||||
|
@@ -144,6 +144,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (BN_num_bits(p) < 224) {
|
||||||
|
+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (ctx == NULL) {
|
||||||
|
ctx = new_ctx = BN_CTX_new();
|
||||||
|
if (ctx == NULL)
|
||||||
|
diff -up openssl-1.1.0e/test/ecdsatest.c.curves openssl-1.1.0e/test/ecdsatest.c
|
||||||
|
--- openssl-1.1.0e/test/ecdsatest.c.curves 2017-02-16 12:58:24.000000000 +0100
|
||||||
|
+++ openssl-1.1.0e/test/ecdsatest.c 2017-02-16 15:46:22.250503857 +0100
|
||||||
|
@@ -216,6 +216,7 @@ int x9_62_tests(BIO *out)
|
||||||
|
if (!change_rand())
|
||||||
|
goto x962_err;
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
if (!x9_62_test_internal(out, NID_X9_62_prime192v1,
|
||||||
|
"3342403536405981729393488334694600415596881826869351677613",
|
||||||
|
"5735822328888155254683894997897571951568553642892029982342"))
|
||||||
|
@@ -226,6 +227,7 @@ int x9_62_tests(BIO *out)
|
||||||
|
"3238135532097973577080787768312505059318910517550078427819"
|
||||||
|
"78505179448783"))
|
||||||
|
goto x962_err;
|
||||||
|
+#endif
|
||||||
|
# ifndef OPENSSL_NO_EC2M
|
||||||
|
if (!x9_62_test_internal(out, NID_X9_62_c2tnb191v1,
|
||||||
|
"87194383164871543355722284926904419997237591535066528048",
|
File diff suppressed because it is too large
Load Diff
51
openssl-1.1.0-manfix.patch
Normal file
51
openssl-1.1.0-manfix.patch
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
diff -up openssl-1.1.0g/doc/apps/ec.pod.manfix openssl-1.1.0g/doc/apps/ec.pod
|
||||||
|
--- openssl-1.1.0g/doc/apps/ec.pod.manfix 2017-11-02 15:29:04.000000000 +0100
|
||||||
|
+++ openssl-1.1.0g/doc/apps/ec.pod 2017-11-03 16:09:31.714027145 +0100
|
||||||
|
@@ -101,10 +101,6 @@ prints out the public, private key compo
|
||||||
|
|
||||||
|
this option prevents output of the encoded version of the key.
|
||||||
|
|
||||||
|
-=item B<-modulus>
|
||||||
|
-
|
||||||
|
-this option prints out the value of the public key component of the key.
|
||||||
|
-
|
||||||
|
=item B<-pubin>
|
||||||
|
|
||||||
|
by default a private key is read from the input file: with this option a
|
||||||
|
diff -up openssl-1.1.0g/doc/apps/openssl.pod.manfix openssl-1.1.0g/doc/apps/openssl.pod
|
||||||
|
--- openssl-1.1.0g/doc/apps/openssl.pod.manfix 2017-11-02 15:29:04.000000000 +0100
|
||||||
|
+++ openssl-1.1.0g/doc/apps/openssl.pod 2017-11-03 16:11:48.478245311 +0100
|
||||||
|
@@ -170,7 +170,7 @@ Create or examine a Netscape certificate
|
||||||
|
|
||||||
|
Online Certificate Status Protocol utility.
|
||||||
|
|
||||||
|
-=item L<B<passwd>|passwd(1)>
|
||||||
|
+=item L<B<passwd>|sslpasswd(1)>
|
||||||
|
|
||||||
|
Generation of hashed passwords.
|
||||||
|
|
||||||
|
@@ -198,7 +198,7 @@ Public key algorithm parameter managemen
|
||||||
|
|
||||||
|
Public key algorithm cryptographic operation utility.
|
||||||
|
|
||||||
|
-=item L<B<rand>|rand(1)>
|
||||||
|
+=item L<B<rand>|sslrand(1)>
|
||||||
|
|
||||||
|
Generate pseudo-random bytes.
|
||||||
|
|
||||||
|
@@ -432,13 +432,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
|
||||||
|
L<ec(1)>, L<ecparam(1)>,
|
||||||
|
L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
|
||||||
|
L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
|
||||||
|
-L<passwd(1)>,
|
||||||
|
L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
|
||||||
|
L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>,
|
||||||
|
-L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
|
||||||
|
+L<rehash(1)>, L<req(1)>, L<rsa(1)>,
|
||||||
|
L<rsautl(1)>, L<s_client(1)>,
|
||||||
|
L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
|
||||||
|
L<smime(1)>, L<speed(1)>, L<spkac(1)>,
|
||||||
|
+L<sslpasswd(1)>, L<sslrand(1)>,
|
||||||
|
L<ts(1)>,
|
||||||
|
L<verify(1)>, L<version(1)>, L<x509(1)>,
|
||||||
|
L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>
|
15
openssl-1.1.0-missing-quotes.patch
Normal file
15
openssl-1.1.0-missing-quotes.patch
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
diff -up openssl-1.1.0h/util/dofile.pl.missing-quotes openssl-1.1.0h/util/dofile.pl
|
||||||
|
--- openssl-1.1.0h/util/dofile.pl.missing-quotes 2018-03-27 15:50:41.000000000 +0200
|
||||||
|
+++ openssl-1.1.0h/util/dofile.pl 2018-04-03 11:59:36.742091742 +0200
|
||||||
|
@@ -99,9 +99,9 @@ package main;
|
||||||
|
# This adds quotes (") around the given string, and escapes any $, @, \,
|
||||||
|
# " and ' by prepending a \ to them.
|
||||||
|
sub quotify1 {
|
||||||
|
- my $s = my $orig = shift @_;
|
||||||
|
+ my $s = shift @_;
|
||||||
|
$s =~ s/([\$\@\\"'])/\\$1/g;
|
||||||
|
- $s ne $orig || $s =~ /\s/ ? '"'.$s.'"' : $s;
|
||||||
|
+ '"'.$s.'"';
|
||||||
|
}
|
||||||
|
|
||||||
|
# quotify_l LIST
|
12
openssl-1.1.0-no-html.patch
Normal file
12
openssl-1.1.0-no-html.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
|
||||||
|
--- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200
|
||||||
|
+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200
|
||||||
|
@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
|
||||||
|
|
||||||
|
uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
|
||||||
|
|
||||||
|
-install_docs: install_man_docs install_html_docs
|
||||||
|
+install_docs: install_man_docs
|
||||||
|
|
||||||
|
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
||||||
|
$(RM) -r -v $(DESTDIR)$(DOCDIR)
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.1b/crypto/asn1/a_verify.c
|
diff -up openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify openssl-1.1.0g/crypto/asn1/a_verify.c
|
||||||
--- openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify 2019-02-26 15:15:30.000000000 +0100
|
--- openssl-1.1.0g/crypto/asn1/a_verify.c.no-md5-verify 2017-11-02 15:29:02.000000000 +0100
|
||||||
+++ openssl-1.1.1b/crypto/asn1/a_verify.c 2019-02-28 11:25:31.531862873 +0100
|
+++ openssl-1.1.0g/crypto/asn1/a_verify.c 2017-11-03 16:15:46.125801341 +0100
|
||||||
@@ -7,6 +7,9 @@
|
@@ -7,6 +7,9 @@
|
||||||
* https://www.openssl.org/source/license.html
|
* https://www.openssl.org/source/license.html
|
||||||
*/
|
*/
|
||||||
@ -11,7 +11,7 @@ diff -up openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.1b/cry
|
|||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <time.h>
|
#include <time.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@@ -130,6 +133,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
|
@@ -126,6 +129,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
|
||||||
if (ret != 2)
|
if (ret != 2)
|
||||||
goto err;
|
goto err;
|
||||||
ret = -1;
|
ret = -1;
|
||||||
@ -22,5 +22,5 @@ diff -up openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.1b/cry
|
|||||||
+ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
+ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
|
||||||
+ goto err;
|
+ goto err;
|
||||||
} else {
|
} else {
|
||||||
const EVP_MD *type = EVP_get_digestbynid(mdnid);
|
const EVP_MD *type;
|
||||||
|
type = EVP_get_digestbynid(mdnid);
|
139
openssl-1.1.0-secure-getenv.patch
Normal file
139
openssl-1.1.0-secure-getenv.patch
Normal file
@ -0,0 +1,139 @@
|
|||||||
|
diff -up openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_api.c
|
||||||
|
--- openssl-1.1.0g/crypto/conf/conf_api.c.secure-getenv 2017-11-02 15:29:02.000000000 +0100
|
||||||
|
+++ openssl-1.1.0g/crypto/conf/conf_api.c 2017-11-03 16:12:31.826265323 +0100
|
||||||
|
@@ -9,6 +9,8 @@
|
||||||
|
|
||||||
|
/* Part of the code in here was originally in conf.c, which is now removed */
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <openssl/conf.h>
|
||||||
|
@@ -82,7 +84,7 @@ char *_CONF_get_string(const CONF *conf,
|
||||||
|
if (v != NULL)
|
||||||
|
return (v->value);
|
||||||
|
if (strcmp(section, "ENV") == 0) {
|
||||||
|
- p = getenv(name);
|
||||||
|
+ p = secure_getenv(name);
|
||||||
|
if (p != NULL)
|
||||||
|
return (p);
|
||||||
|
}
|
||||||
|
@@ -95,7 +97,7 @@ char *_CONF_get_string(const CONF *conf,
|
||||||
|
else
|
||||||
|
return (NULL);
|
||||||
|
} else
|
||||||
|
- return (getenv(name));
|
||||||
|
+ return (secure_getenv(name));
|
||||||
|
}
|
||||||
|
|
||||||
|
static unsigned long conf_value_hash(const CONF_VALUE *v)
|
||||||
|
diff -up openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv openssl-1.1.0g/crypto/conf/conf_mod.c
|
||||||
|
--- openssl-1.1.0g/crypto/conf/conf_mod.c.secure-getenv 2017-11-02 15:29:02.000000000 +0100
|
||||||
|
+++ openssl-1.1.0g/crypto/conf/conf_mod.c 2017-11-03 16:12:31.827265347 +0100
|
||||||
|
@@ -7,6 +7,8 @@
|
||||||
|
* https://www.openssl.org/source/license.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <ctype.h>
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
@@ -478,7 +480,7 @@ char *CONF_get1_default_config_file(void
|
||||||
|
char *file;
|
||||||
|
int len;
|
||||||
|
|
||||||
|
- file = getenv("OPENSSL_CONF");
|
||||||
|
+ file = secure_getenv("OPENSSL_CONF");
|
||||||
|
if (file)
|
||||||
|
return OPENSSL_strdup(file);
|
||||||
|
|
||||||
|
diff -up openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv openssl-1.1.0g/crypto/engine/eng_list.c
|
||||||
|
--- openssl-1.1.0g/crypto/engine/eng_list.c.secure-getenv 2017-11-02 15:29:03.000000000 +0100
|
||||||
|
+++ openssl-1.1.0g/crypto/engine/eng_list.c 2017-11-03 16:12:31.827265347 +0100
|
||||||
|
@@ -13,6 +13,8 @@
|
||||||
|
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include "eng_int.h"
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -322,7 +324,7 @@ ENGINE *ENGINE_by_id(const char *id)
|
||||||
|
* Prevent infinite recursion if we're looking for the dynamic engine.
|
||||||
|
*/
|
||||||
|
if (strcmp(id, "dynamic")) {
|
||||||
|
- if ((load_dir = getenv("OPENSSL_ENGINES")) == 0)
|
||||||
|
+ if ((load_dir = secure_getenv("OPENSSL_ENGINES")) == 0)
|
||||||
|
load_dir = ENGINESDIR;
|
||||||
|
iterator = ENGINE_by_id("dynamic");
|
||||||
|
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
|
||||||
|
diff -up openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv openssl-1.1.0g/crypto/rand/randfile.c
|
||||||
|
--- openssl-1.1.0g/crypto/rand/randfile.c.secure-getenv 2017-11-02 15:29:03.000000000 +0100
|
||||||
|
+++ openssl-1.1.0g/crypto/rand/randfile.c 2017-11-03 16:12:31.827265347 +0100
|
||||||
|
@@ -7,6 +7,8 @@
|
||||||
|
* https://www.openssl.org/source/license.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include "internal/cryptlib.h"
|
||||||
|
|
||||||
|
#include <errno.h>
|
||||||
|
@@ -317,10 +319,10 @@ const char *RAND_file_name(char *buf, si
|
||||||
|
if (OPENSSL_issetugid() != 0) {
|
||||||
|
use_randfile = 0;
|
||||||
|
} else {
|
||||||
|
- s = getenv("RANDFILE");
|
||||||
|
+ s = secure_getenv("RANDFILE");
|
||||||
|
if (s == NULL || *s == '\0') {
|
||||||
|
use_randfile = 0;
|
||||||
|
- s = getenv("HOME");
|
||||||
|
+ s = secure_getenv("HOME");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
diff -up openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv openssl-1.1.0g/crypto/x509/by_dir.c
|
||||||
|
--- openssl-1.1.0g/crypto/x509/by_dir.c.secure-getenv 2017-11-02 15:29:04.000000000 +0100
|
||||||
|
+++ openssl-1.1.0g/crypto/x509/by_dir.c 2017-11-03 16:12:31.827265347 +0100
|
||||||
|
@@ -7,6 +7,8 @@
|
||||||
|
* https://www.openssl.org/source/license.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <time.h>
|
||||||
|
#include <errno.h>
|
||||||
|
@@ -78,7 +80,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, in
|
||||||
|
switch (cmd) {
|
||||||
|
case X509_L_ADD_DIR:
|
||||||
|
if (argl == X509_FILETYPE_DEFAULT) {
|
||||||
|
- dir = (char *)getenv(X509_get_default_cert_dir_env());
|
||||||
|
+ dir = (char *)secure_getenv(X509_get_default_cert_dir_env());
|
||||||
|
if (dir)
|
||||||
|
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||||
|
else
|
||||||
|
diff -up openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv openssl-1.1.0g/crypto/x509/by_file.c
|
||||||
|
--- openssl-1.1.0g/crypto/x509/by_file.c.secure-getenv 2017-11-02 15:29:04.000000000 +0100
|
||||||
|
+++ openssl-1.1.0g/crypto/x509/by_file.c 2017-11-03 16:14:13.230649686 +0100
|
||||||
|
@@ -7,6 +7,8 @@
|
||||||
|
* https://www.openssl.org/source/license.html
|
||||||
|
*/
|
||||||
|
|
||||||
|
+/* for secure_getenv */
|
||||||
|
+#define _GNU_SOURCE
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <time.h>
|
||||||
|
#include <errno.h>
|
||||||
|
@@ -47,7 +49,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx
|
||||||
|
switch (cmd) {
|
||||||
|
case X509_L_FILE_LOAD:
|
||||||
|
if (argl == X509_FILETYPE_DEFAULT) {
|
||||||
|
- file = getenv(X509_get_default_cert_file_env());
|
||||||
|
+ file = secure_getenv(X509_get_default_cert_file_env());
|
||||||
|
if (file)
|
||||||
|
ok = (X509_load_cert_crl_file(ctx, file,
|
||||||
|
X509_FILETYPE_PEM) != 0);
|
24
openssl-1.1.0-silent-rnd-write.patch
Normal file
24
openssl-1.1.0-silent-rnd-write.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
diff -up openssl-1.1.0h/apps/app_rand.c.silent-rnd-write openssl-1.1.0h/apps/app_rand.c
|
||||||
|
--- openssl-1.1.0h/apps/app_rand.c.silent-rnd-write 2018-03-27 15:50:37.000000000 +0200
|
||||||
|
+++ openssl-1.1.0h/apps/app_rand.c 2018-03-29 15:27:24.597891091 +0200
|
||||||
|
@@ -91,6 +91,7 @@ long app_RAND_load_files(char *name)
|
||||||
|
int app_RAND_write_file(const char *file)
|
||||||
|
{
|
||||||
|
char buffer[200];
|
||||||
|
+ const char *origfile = file;
|
||||||
|
|
||||||
|
if (egdsocket || !seeded)
|
||||||
|
/*
|
||||||
|
@@ -103,8 +104,10 @@ int app_RAND_write_file(const char *file
|
||||||
|
if (file == NULL)
|
||||||
|
file = RAND_file_name(buffer, sizeof(buffer));
|
||||||
|
if (file == NULL || !RAND_write_file(file)) {
|
||||||
|
- BIO_printf(bio_err, "unable to write 'random state'\n");
|
||||||
|
- return 0;
|
||||||
|
+ if (origfile != NULL) {
|
||||||
|
+ BIO_printf(bio_err, "unable to write 'random state'\n");
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
return 1;
|
||||||
|
}
|
317
openssl-1.1.0-system-cipherlist.patch
Normal file
317
openssl-1.1.0-system-cipherlist.patch
Normal file
@ -0,0 +1,317 @@
|
|||||||
|
diff -up openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.0e/Configurations/unix-Makefile.tmpl
|
||||||
|
--- openssl-1.1.0e/Configurations/unix-Makefile.tmpl.system-cipherlist 2017-02-16 16:15:38.658931413 +0100
|
||||||
|
+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl 2017-02-16 16:15:38.675931806 +0100
|
||||||
|
@@ -161,6 +161,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||||
|
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||||
|
HTMLDIR=$(DOCDIR)/html
|
||||||
|
|
||||||
|
+{- output_off() if $config{system_ciphers_file} eq ""; "" -}
|
||||||
|
+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
|
||||||
|
+{- output_on() if $config{system_ciphers_file} eq ""; "" -}
|
||||||
|
+
|
||||||
|
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||||
|
# appended after the manpage file section number. "ssl" is popular,
|
||||||
|
# resulting in files such as config.5ssl rather than config.5.
|
||||||
|
@@ -171,7 +175,7 @@ HTMLSUFFIX=html
|
||||||
|
|
||||||
|
CROSS_COMPILE= {- $config{cross_compile_prefix} -}
|
||||||
|
CC= $(CROSS_COMPILE){- $target{cc} -}
|
||||||
|
-CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
|
||||||
|
+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}}),"\$(SYSTEM_CIPHERS_FILE_DEFINE)","-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $target{cflags} -} {- $config{cflags} -}
|
||||||
|
CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
|
||||||
|
LDFLAGS= {- $target{lflags} -}
|
||||||
|
PLIB_LDFLAGS= {- $target{plib_lflags} -}
|
||||||
|
diff -up openssl-1.1.0e/Configure.system-cipherlist openssl-1.1.0e/Configure
|
||||||
|
--- openssl-1.1.0e/Configure.system-cipherlist 2017-02-16 12:58:20.000000000 +0100
|
||||||
|
+++ openssl-1.1.0e/Configure 2017-02-16 16:15:38.679931899 +0100
|
||||||
|
@@ -18,7 +18,7 @@ use if $^O ne "VMS", 'File::Glob' => qw/
|
||||||
|
|
||||||
|
# see INSTALL for instructions.
|
||||||
|
|
||||||
|
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||||
|
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||||
|
|
||||||
|
# Options:
|
||||||
|
#
|
||||||
|
@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher>
|
||||||
|
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||||
|
# (Default: PREFIX/ssl)
|
||||||
|
#
|
||||||
|
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
||||||
|
+# cipher is specified (default).
|
||||||
|
+#
|
||||||
|
# --cross-compile-prefix Add specified prefix to binutils components.
|
||||||
|
#
|
||||||
|
# --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for
|
||||||
|
@@ -293,6 +296,7 @@ $config{openssldir}="";
|
||||||
|
$config{processor}="";
|
||||||
|
$config{libdir}="";
|
||||||
|
$config{cross_compile_prefix}="";
|
||||||
|
+$config{system_ciphers_file}="";
|
||||||
|
$config{fipslibdir}="/usr/local/ssl/fips-2.0/lib/";
|
||||||
|
my $nofipscanistercheck=0;
|
||||||
|
$config{baseaddr}="0xFB00000";
|
||||||
|
@@ -718,6 +722,10 @@ while (@argvcopy)
|
||||||
|
{
|
||||||
|
$config{baseaddr}="$1";
|
||||||
|
}
|
||||||
|
+ elsif (/^--system-ciphers-file=(.*)$/)
|
||||||
|
+ {
|
||||||
|
+ $config{system_ciphers_file}=$1;
|
||||||
|
+ }
|
||||||
|
elsif (/^--cross-compile-prefix=(.*)$/)
|
||||||
|
{
|
||||||
|
$config{cross_compile_prefix}=$1;
|
||||||
|
@@ -851,6 +859,8 @@ if ($target =~ m/^CygWin32(-.*)$/) {
|
||||||
|
$target = "Cygwin".$1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/;
|
||||||
|
+
|
||||||
|
foreach (sort (keys %disabled))
|
||||||
|
{
|
||||||
|
$config{options} .= " no-$_";
|
||||||
|
diff -up openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist openssl-1.1.0e/doc/apps/ciphers.pod
|
||||||
|
--- openssl-1.1.0e/doc/apps/ciphers.pod.system-cipherlist 2017-02-16 12:58:22.000000000 +0100
|
||||||
|
+++ openssl-1.1.0e/doc/apps/ciphers.pod 2017-02-16 16:37:14.043219953 +0100
|
||||||
|
@@ -181,6 +181,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
||||||
|
|
||||||
|
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||||
|
|
||||||
|
+=item B<PROFILE=SYSTEM>
|
||||||
|
+
|
||||||
|
+The list of enabled cipher suites will be loaded from the system crypto policy
|
||||||
|
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
|
||||||
|
+See also L<update-crypto-policies(8)>.
|
||||||
|
+This is the default behavior unless an application explicitly sets a cipher
|
||||||
|
+list. If used in a cipher list configuration value this string must be at the
|
||||||
|
+beginning of the cipher list, otherwise it will not be recognized.
|
||||||
|
+
|
||||||
|
=item B<HIGH>
|
||||||
|
|
||||||
|
"high" encryption cipher suites. This currently means those with key lengths
|
||||||
|
diff -up openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist openssl-1.1.0e/include/openssl/ssl.h
|
||||||
|
--- openssl-1.1.0e/include/openssl/ssl.h.system-cipherlist 2017-02-16 12:58:23.000000000 +0100
|
||||||
|
+++ openssl-1.1.0e/include/openssl/ssl.h 2017-02-16 16:15:38.676931830 +0100
|
||||||
|
@@ -201,6 +201,11 @@ extern "C" {
|
||||||
|
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||||
|
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||||
|
*/
|
||||||
|
+# ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
|
||||||
|
+# else
|
||||||
|
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
|
||||||
|
+# endif
|
||||||
|
|
||||||
|
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||||
|
# define SSL_SENT_SHUTDOWN 1
|
||||||
|
diff -up openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.0e/ssl/ssl_ciph.c
|
||||||
|
--- openssl-1.1.0e/ssl/ssl_ciph.c.system-cipherlist 2017-02-16 12:58:23.000000000 +0100
|
||||||
|
+++ openssl-1.1.0e/ssl/ssl_ciph.c 2017-02-16 16:15:38.691932177 +0100
|
||||||
|
@@ -1289,6 +1289,50 @@ static int check_suiteb_cipher_list(cons
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+static char *load_system_str(const char *suffix)
|
||||||
|
+{
|
||||||
|
+ FILE *fp;
|
||||||
|
+ char buf[1024];
|
||||||
|
+ char *new_rules;
|
||||||
|
+ unsigned len, slen;
|
||||||
|
+
|
||||||
|
+ fp = fopen(SYSTEM_CIPHERS_FILE, "r");
|
||||||
|
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
|
||||||
|
+ /* cannot open or file is empty */
|
||||||
|
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fp)
|
||||||
|
+ fclose(fp);
|
||||||
|
+
|
||||||
|
+ slen = strlen(suffix);
|
||||||
|
+ len = strlen(buf);
|
||||||
|
+
|
||||||
|
+ if (buf[len - 1] == '\n') {
|
||||||
|
+ len--;
|
||||||
|
+ buf[len] = 0;
|
||||||
|
+ }
|
||||||
|
+ if (buf[len - 1] == '\r') {
|
||||||
|
+ len--;
|
||||||
|
+ buf[len] = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ new_rules = OPENSSL_malloc(len + slen + 1);
|
||||||
|
+ if (new_rules == 0)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ memcpy(new_rules, buf, len);
|
||||||
|
+ if (slen > 0) {
|
||||||
|
+ memcpy(&new_rules[len], suffix, slen);
|
||||||
|
+ len += slen;
|
||||||
|
+ }
|
||||||
|
+ new_rules[len] = 0;
|
||||||
|
+
|
||||||
|
+ return new_rules;
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER)
|
||||||
|
**cipher_list, STACK_OF(SSL_CIPHER)
|
||||||
|
**cipher_list_by_id,
|
||||||
|
@@ -1296,19 +1341,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
{
|
||||||
|
int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
|
||||||
|
uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
|
||||||
|
- STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
|
||||||
|
+ STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list;
|
||||||
|
const char *rule_p;
|
||||||
|
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||||
|
const SSL_CIPHER **ca_list = NULL;
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+ char *new_rules = NULL;
|
||||||
|
+
|
||||||
|
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
|
||||||
|
+ char *p = rule_str + 14;
|
||||||
|
+
|
||||||
|
+ new_rules = load_system_str(p);
|
||||||
|
+ rule_str = new_rules;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return with error if nothing to do.
|
||||||
|
*/
|
||||||
|
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
||||||
|
- return NULL;
|
||||||
|
+ goto end;
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
||||||
|
- return NULL;
|
||||||
|
+ goto end;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1331,7 +1386,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||||
|
if (co_list == NULL) {
|
||||||
|
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
||||||
|
- return (NULL); /* Failure */
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||||
|
@@ -1401,8 +1456,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
* in force within each class
|
||||||
|
*/
|
||||||
|
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return NULL;
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1447,9 +1501,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||||
|
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||||
|
if (ca_list == NULL) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
||||||
|
- return (NULL); /* Failure */
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||||
|
disabled_mkey, disabled_auth, disabled_enc,
|
||||||
|
@@ -1475,8 +1528,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||||
|
|
||||||
|
if (!ok) { /* Rule processing failure */
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return (NULL);
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1484,8 +1536,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
* if we cannot get one.
|
||||||
|
*/
|
||||||
|
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return (NULL);
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1496,21 +1547,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
if (curr->active
|
||||||
|
&& (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
|
||||||
|
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
sk_SSL_CIPHER_free(cipherstack);
|
||||||
|
- return NULL;
|
||||||
|
+ cipherstack = NULL;
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
#ifdef CIPHER_DEBUG
|
||||||
|
fprintf(stderr, "<%s>\n", curr->cipher->name);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- OPENSSL_free(co_list); /* Not needed any longer */
|
||||||
|
|
||||||
|
tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
|
||||||
|
if (tmp_cipher_list == NULL) {
|
||||||
|
sk_SSL_CIPHER_free(cipherstack);
|
||||||
|
- return NULL;
|
||||||
|
+ cipherstack = NULL;
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
sk_SSL_CIPHER_free(*cipher_list);
|
||||||
|
*cipher_list = cipherstack;
|
||||||
|
@@ -1520,6 +1571,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
|
||||||
|
|
||||||
|
sk_SSL_CIPHER_sort(*cipher_list_by_id);
|
||||||
|
+
|
||||||
|
+ end:
|
||||||
|
+ OPENSSL_free(co_list);
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+ OPENSSL_free(new_rules);
|
||||||
|
+#endif
|
||||||
|
return (cipherstack);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist openssl-1.1.0e/ssl/ssl_lib.c
|
||||||
|
--- openssl-1.1.0e/ssl/ssl_lib.c.system-cipherlist 2017-02-16 16:15:38.673931760 +0100
|
||||||
|
+++ openssl-1.1.0e/ssl/ssl_lib.c 2017-02-16 16:15:38.692932200 +0100
|
||||||
|
@@ -509,7 +509,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||||
|
|
||||||
|
sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list),
|
||||||
|
&(ctx->cipher_list_by_id),
|
||||||
|
- SSL_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||||
|
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||||
|
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||||
|
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||||
|
return (0);
|
||||||
|
@@ -2403,7 +2403,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||||
|
#endif
|
||||||
|
if (!ssl_create_cipher_list(ret->method,
|
||||||
|
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||||
|
- SSL_DEFAULT_CIPHER_LIST, ret->cert)
|
||||||
|
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
||||||
|
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||||
|
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||||
|
goto err2;
|
||||||
|
diff -up openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist openssl-1.1.0e/test/cipherlist_test.c
|
||||||
|
--- openssl-1.1.0e/test/cipherlist_test.c.system-cipherlist 2017-02-16 12:58:24.000000000 +0100
|
||||||
|
+++ openssl-1.1.0e/test/cipherlist_test.c 2017-02-16 16:15:38.677931853 +0100
|
||||||
|
@@ -190,7 +190,9 @@ int main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
int result = 0;
|
||||||
|
|
||||||
|
+#ifndef SYSTEM_CIPHERS_FILE
|
||||||
|
ADD_TEST(test_default_cipherlist_implicit);
|
||||||
|
+#endif
|
||||||
|
ADD_TEST(test_default_cipherlist_explicit);
|
||||||
|
|
||||||
|
result = run_tests(argv[0]);
|
38
openssl-1.1.0-version-add-engines.patch
Normal file
38
openssl-1.1.0-version-add-engines.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
diff -up openssl-1.1.0h/apps/version.c.version-add-engines openssl-1.1.0h/apps/version.c
|
||||||
|
--- openssl-1.1.0h/apps/version.c.version-add-engines 2018-03-27 15:50:37.000000000 +0200
|
||||||
|
+++ openssl-1.1.0h/apps/version.c 2018-03-29 14:33:30.732879537 +0200
|
||||||
|
@@ -52,7 +52,7 @@ int version_main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
int ret = 1, dirty = 0;
|
||||||
|
int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
|
||||||
|
- int engdir = 0;
|
||||||
|
+ int engdir = 0, engines = 0;
|
||||||
|
char *prog;
|
||||||
|
OPTION_CHOICE o;
|
||||||
|
|
||||||
|
@@ -90,7 +90,7 @@ opthelp:
|
||||||
|
dirty = version = 1;
|
||||||
|
break;
|
||||||
|
case OPT_A:
|
||||||
|
- options = cflags = version = date = platform = dir = engdir = 1;
|
||||||
|
+ options = cflags = version = date = platform = dir = engdir = engines = 1;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -139,6 +139,16 @@ opthelp:
|
||||||
|
printf("%s\n", OpenSSL_version(OPENSSL_DIR));
|
||||||
|
if (engdir)
|
||||||
|
printf("%s\n", OpenSSL_version(OPENSSL_ENGINES_DIR));
|
||||||
|
+ if (engines) {
|
||||||
|
+ ENGINE *e;
|
||||||
|
+ printf("engines: ");
|
||||||
|
+ e = ENGINE_get_first();
|
||||||
|
+ while (e) {
|
||||||
|
+ printf("%s ", ENGINE_get_id(e));
|
||||||
|
+ e = ENGINE_get_next(e);
|
||||||
|
+ }
|
||||||
|
+ printf("\n");
|
||||||
|
+ }
|
||||||
|
ret = 0;
|
||||||
|
end:
|
||||||
|
return (ret);
|
30
openssl-1.1.0-weak-ciphers.patch
Normal file
30
openssl-1.1.0-weak-ciphers.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
diff -up openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers openssl-1.1.0f/ssl/s3_lib.c
|
||||||
|
--- openssl-1.1.0f/ssl/s3_lib.c.weak-ciphers 2017-05-25 14:46:20.000000000 +0200
|
||||||
|
+++ openssl-1.1.0f/ssl/s3_lib.c 2017-06-15 15:12:51.555142528 +0200
|
||||||
|
@@ -2425,7 +2425,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||||
|
SSL_GOST89MAC,
|
||||||
|
TLS1_VERSION, TLS1_2_VERSION,
|
||||||
|
0, 0,
|
||||||
|
- SSL_HIGH,
|
||||||
|
+ SSL_MEDIUM,
|
||||||
|
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
|
||||||
|
256,
|
||||||
|
256,
|
||||||
|
@@ -2455,7 +2455,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||||
|
SSL_GOST89MAC12,
|
||||||
|
TLS1_VERSION, TLS1_2_VERSION,
|
||||||
|
0, 0,
|
||||||
|
- SSL_HIGH,
|
||||||
|
+ SSL_MEDIUM,
|
||||||
|
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
|
||||||
|
256,
|
||||||
|
256,
|
||||||
|
@@ -2558,7 +2558,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
||||||
|
},
|
||||||
|
#endif /* OPENSSL_NO_SEED */
|
||||||
|
|
||||||
|
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||||
|
+#if 0 /* No RC4 */
|
||||||
|
{
|
||||||
|
1,
|
||||||
|
SSL3_TXT_RSA_RC4_128_MD5,
|
@ -1,27 +0,0 @@
|
|||||||
commit 9e885a707d604e9528b5491b78fb9c00f41193fc
|
|
||||||
Author: Tomas Mraz <tmraz@fedoraproject.org>
|
|
||||||
Date: Thu Mar 26 15:59:00 2020 +0100
|
|
||||||
|
|
||||||
s_server: Properly indicate ALPN protocol mismatch
|
|
||||||
|
|
||||||
Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
|
|
||||||
an alert is sent to the client on ALPN protocol mismatch.
|
|
||||||
|
|
||||||
Fixes: #2708
|
|
||||||
|
|
||||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
||||||
(Merged from https://github.com/openssl/openssl/pull/11415)
|
|
||||||
|
|
||||||
diff --git a/apps/s_server.c b/apps/s_server.c
|
|
||||||
index bcc83e562c..591c6c19c5 100644
|
|
||||||
--- a/apps/s_server.c
|
|
||||||
+++ b/apps/s_server.c
|
|
||||||
@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
|
|
||||||
if (SSL_select_next_proto
|
|
||||||
((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
|
|
||||||
inlen) != OPENSSL_NPN_NEGOTIATED) {
|
|
||||||
- return SSL_TLSEXT_ERR_NOACK;
|
|
||||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!s_quiet) {
|
|
File diff suppressed because it is too large
Load Diff
@ -1,40 +0,0 @@
|
|||||||
diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf
|
|
||||||
--- openssl-1.1.1f/Configurations/10-main.conf.build 2020-03-31 14:17:45.000000000 +0200
|
|
||||||
+++ openssl-1.1.1f/Configurations/10-main.conf 2020-04-07 16:42:10.920546387 +0200
|
|
||||||
@@ -678,6 +678,7 @@ my %targets = (
|
|
||||||
cxxflags => add("-m64"),
|
|
||||||
lib_cppflags => add("-DL_ENDIAN"),
|
|
||||||
perlasm_scheme => "linux64le",
|
|
||||||
+ multilib => "64",
|
|
||||||
},
|
|
||||||
|
|
||||||
"linux-armv4" => {
|
|
||||||
@@ -718,6 +719,7 @@ my %targets = (
|
|
||||||
"linux-aarch64" => {
|
|
||||||
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
|
|
||||||
perlasm_scheme => "linux64",
|
|
||||||
+ multilib => "64",
|
|
||||||
},
|
|
||||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
|
||||||
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
|
|
||||||
diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl
|
|
||||||
--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build 2020-04-07 16:42:10.920546387 +0200
|
|
||||||
+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:44:23.539142108 +0200
|
|
||||||
@@ -823,7 +823,7 @@ uninstall_runtime_libs:
|
|
||||||
install_man_docs:
|
|
||||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
|
||||||
@$(ECHO) "*** Installing manpages"
|
|
||||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
|
||||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
|
||||||
"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
|
|
||||||
|
|
||||||
uninstall_man_docs:
|
|
||||||
@@ -835,7 +835,7 @@ uninstall_man_docs:
|
|
||||||
install_html_docs:
|
|
||||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
|
||||||
@$(ECHO) "*** Installing HTML manpages"
|
|
||||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
|
||||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
|
||||||
"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
|
|
||||||
|
|
||||||
uninstall_html_docs:
|
|
@ -1,56 +0,0 @@
|
|||||||
diff -up openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths openssl-1.1.1-pre8/apps/CA.pl.in
|
|
||||||
--- openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths 2018-06-20 16:48:09.000000000 +0200
|
|
||||||
+++ openssl-1.1.1-pre8/apps/CA.pl.in 2018-07-25 17:26:58.388624296 +0200
|
|
||||||
@@ -33,7 +33,7 @@ my $X509 = "$openssl x509";
|
|
||||||
my $PKCS12 = "$openssl pkcs12";
|
|
||||||
|
|
||||||
# default openssl.cnf file has setup as per the following
|
|
||||||
-my $CATOP = "./demoCA";
|
|
||||||
+my $CATOP = "/etc/pki/CA";
|
|
||||||
my $CAKEY = "cakey.pem";
|
|
||||||
my $CAREQ = "careq.pem";
|
|
||||||
my $CACERT = "cacert.pem";
|
|
||||||
diff -up openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths openssl-1.1.1-pre8/apps/openssl.cnf
|
|
||||||
--- openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths 2018-07-25 17:26:58.378624057 +0200
|
|
||||||
+++ openssl-1.1.1-pre8/apps/openssl.cnf 2018-07-27 13:20:08.198513471 +0200
|
|
||||||
@@ -23,6 +23,22 @@ oid_section = new_oids
|
|
||||||
# (Alternatively, use a configuration file that has only
|
|
||||||
# X.509v3 extensions in its main [= default] section.)
|
|
||||||
|
|
||||||
+# Load default TLS policy configuration
|
|
||||||
+
|
|
||||||
+openssl_conf = default_modules
|
|
||||||
+
|
|
||||||
+[ default_modules ]
|
|
||||||
+
|
|
||||||
+ssl_conf = ssl_module
|
|
||||||
+
|
|
||||||
+[ ssl_module ]
|
|
||||||
+
|
|
||||||
+system_default = crypto_policy
|
|
||||||
+
|
|
||||||
+[ crypto_policy ]
|
|
||||||
+
|
|
||||||
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
|
||||||
+
|
|
||||||
[ new_oids ]
|
|
||||||
|
|
||||||
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
|
|
||||||
@@ -43,7 +59,7 @@ default_ca = CA_default # The default c
|
|
||||||
####################################################################
|
|
||||||
[ CA_default ]
|
|
||||||
|
|
||||||
-dir = ./demoCA # Where everything is kept
|
|
||||||
+dir = /etc/pki/CA # Where everything is kept
|
|
||||||
certs = $dir/certs # Where the issued certs are kept
|
|
||||||
crl_dir = $dir/crl # Where the issued crl are kept
|
|
||||||
database = $dir/index.txt # database index file.
|
|
||||||
@@ -329,7 +345,7 @@ default_tsa = tsa_config1 # the default
|
|
||||||
[ tsa_config1 ]
|
|
||||||
|
|
||||||
# These are used by the TSA reply generation only.
|
|
||||||
-dir = ./demoCA # TSA root directory
|
|
||||||
+dir = /etc/pki/CA # TSA root directory
|
|
||||||
serial = $dir/tsaserial # The current serial number (mandatory)
|
|
||||||
crypto_device = builtin # OpenSSL engine to use for signing
|
|
||||||
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
|
@ -1,91 +0,0 @@
|
|||||||
diff -up openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_client.c
|
|
||||||
--- openssl-1.1.1-pre8/apps/s_client.c.disable-ssl3 2018-07-16 18:08:20.000487628 +0200
|
|
||||||
+++ openssl-1.1.1-pre8/apps/s_client.c 2018-07-16 18:16:40.070186323 +0200
|
|
||||||
@@ -1681,6 +1681,9 @@ int s_client_main(int argc, char **argv)
|
|
||||||
if (sdebug)
|
|
||||||
ssl_ctx_security_debug(ctx, sdebug);
|
|
||||||
|
|
||||||
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
|
||||||
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
|
||||||
+
|
|
||||||
if (!config_ctx(cctx, ssl_args, ctx))
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
diff -up openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 openssl-1.1.1-pre8/apps/s_server.c
|
|
||||||
--- openssl-1.1.1-pre8/apps/s_server.c.disable-ssl3 2018-07-16 18:08:20.000487628 +0200
|
|
||||||
+++ openssl-1.1.1-pre8/apps/s_server.c 2018-07-16 18:17:17.300055551 +0200
|
|
||||||
@@ -1760,6 +1760,9 @@ int s_server_main(int argc, char *argv[]
|
|
||||||
if (sdebug)
|
|
||||||
ssl_ctx_security_debug(ctx, sdebug);
|
|
||||||
|
|
||||||
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
|
||||||
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
|
||||||
+
|
|
||||||
if (!config_ctx(cctx, ssl_args, ctx))
|
|
||||||
goto end;
|
|
||||||
|
|
||||||
diff -up openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.1-pre8/ssl/ssl_lib.c
|
|
||||||
--- openssl-1.1.1-pre8/ssl/ssl_lib.c.disable-ssl3 2018-06-20 16:48:13.000000000 +0200
|
|
||||||
+++ openssl-1.1.1-pre8/ssl/ssl_lib.c 2018-07-16 18:08:20.001487652 +0200
|
|
||||||
@@ -3016,6 +3016,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
|
||||||
*/
|
|
||||||
ret->options |= SSL_OP_NO_COMPRESSION | SSL_OP_ENABLE_MIDDLEBOX_COMPAT;
|
|
||||||
|
|
||||||
+ if (meth->version != SSL3_VERSION) {
|
|
||||||
+ /*
|
|
||||||
+ * Disable SSLv3 by default. Applications can
|
|
||||||
+ * re-enable it by configuring
|
|
||||||
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
|
||||||
+ * or by using the SSL_CONF API.
|
|
||||||
+ */
|
|
||||||
+ ret->options |= SSL_OP_NO_SSLv3;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff -up openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3 openssl-1.1.1-pre8/test/ssl_test.c
|
|
||||||
--- openssl-1.1.1-pre8/test/ssl_test.c.disable-ssl3 2018-06-20 16:48:15.000000000 +0200
|
|
||||||
+++ openssl-1.1.1-pre8/test/ssl_test.c 2018-07-16 18:18:34.806865121 +0200
|
|
||||||
@@ -443,6 +443,7 @@ static int test_handshake(int idx)
|
|
||||||
SSL_TEST_SERVERNAME_CB_NONE) {
|
|
||||||
if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method())))
|
|
||||||
goto err;
|
|
||||||
+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
|
|
||||||
if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
|
|
||||||
TLS_MAX_VERSION)))
|
|
||||||
goto err;
|
|
||||||
@@ -464,6 +465,8 @@ static int test_handshake(int idx)
|
|
||||||
if (!TEST_ptr(resume_server_ctx)
|
|
||||||
|| !TEST_ptr(resume_client_ctx))
|
|
||||||
goto err;
|
|
||||||
+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
|
|
||||||
+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -477,6 +480,9 @@ static int test_handshake(int idx)
|
|
||||||
|| !TEST_int_gt(CONF_modules_load(conf, test_app, 0), 0))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
|
|
||||||
+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
|
|
||||||
+
|
|
||||||
if (!SSL_CTX_config(server_ctx, "server")
|
|
||||||
|| !SSL_CTX_config(client_ctx, "client")) {
|
|
||||||
goto err;
|
|
||||||
diff -up openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3 openssl-1.1.1-pre8/test/ssltest_old.c
|
|
||||||
--- openssl-1.1.1-pre8/test/ssltest_old.c.disable-ssl3 2018-06-20 16:48:15.000000000 +0200
|
|
||||||
+++ openssl-1.1.1-pre8/test/ssltest_old.c 2018-07-16 18:08:20.002487676 +0200
|
|
||||||
@@ -1358,6 +1358,11 @@ int main(int argc, char *argv[])
|
|
||||||
ERR_print_errors(bio_err);
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
|
|
||||||
+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
|
|
||||||
+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* Since we will use low security ciphersuites and keys for testing set
|
|
||||||
* security level to zero by default. Tests can override this by adding
|
|
@ -1,266 +0,0 @@
|
|||||||
diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c
|
|
||||||
--- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200
|
|
||||||
+++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100
|
|
||||||
@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2];
|
|
||||||
#endif /* OPENSSL_NO_RSA */
|
|
||||||
|
|
||||||
enum {
|
|
||||||
- R_EC_P160,
|
|
||||||
- R_EC_P192,
|
|
||||||
R_EC_P224,
|
|
||||||
R_EC_P256,
|
|
||||||
R_EC_P384,
|
|
||||||
R_EC_P521,
|
|
||||||
-#ifndef OPENSSL_NO_EC2M
|
|
||||||
- R_EC_K163,
|
|
||||||
- R_EC_K233,
|
|
||||||
- R_EC_K283,
|
|
||||||
- R_EC_K409,
|
|
||||||
- R_EC_K571,
|
|
||||||
- R_EC_B163,
|
|
||||||
- R_EC_B233,
|
|
||||||
- R_EC_B283,
|
|
||||||
- R_EC_B409,
|
|
||||||
- R_EC_B571,
|
|
||||||
-#endif
|
|
||||||
- R_EC_BRP256R1,
|
|
||||||
- R_EC_BRP256T1,
|
|
||||||
- R_EC_BRP384R1,
|
|
||||||
- R_EC_BRP384T1,
|
|
||||||
- R_EC_BRP512R1,
|
|
||||||
- R_EC_BRP512T1,
|
|
||||||
R_EC_X25519,
|
|
||||||
R_EC_X448
|
|
||||||
};
|
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
static OPT_PAIR ecdsa_choices[] = {
|
|
||||||
- {"ecdsap160", R_EC_P160},
|
|
||||||
- {"ecdsap192", R_EC_P192},
|
|
||||||
{"ecdsap224", R_EC_P224},
|
|
||||||
{"ecdsap256", R_EC_P256},
|
|
||||||
{"ecdsap384", R_EC_P384},
|
|
||||||
{"ecdsap521", R_EC_P521},
|
|
||||||
-# ifndef OPENSSL_NO_EC2M
|
|
||||||
- {"ecdsak163", R_EC_K163},
|
|
||||||
- {"ecdsak233", R_EC_K233},
|
|
||||||
- {"ecdsak283", R_EC_K283},
|
|
||||||
- {"ecdsak409", R_EC_K409},
|
|
||||||
- {"ecdsak571", R_EC_K571},
|
|
||||||
- {"ecdsab163", R_EC_B163},
|
|
||||||
- {"ecdsab233", R_EC_B233},
|
|
||||||
- {"ecdsab283", R_EC_B283},
|
|
||||||
- {"ecdsab409", R_EC_B409},
|
|
||||||
- {"ecdsab571", R_EC_B571},
|
|
||||||
-# endif
|
|
||||||
- {"ecdsabrp256r1", R_EC_BRP256R1},
|
|
||||||
- {"ecdsabrp256t1", R_EC_BRP256T1},
|
|
||||||
- {"ecdsabrp384r1", R_EC_BRP384R1},
|
|
||||||
- {"ecdsabrp384t1", R_EC_BRP384T1},
|
|
||||||
- {"ecdsabrp512r1", R_EC_BRP512R1},
|
|
||||||
- {"ecdsabrp512t1", R_EC_BRP512T1}
|
|
||||||
};
|
|
||||||
# define ECDSA_NUM OSSL_NELEM(ecdsa_choices)
|
|
||||||
|
|
||||||
static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */
|
|
||||||
|
|
||||||
static const OPT_PAIR ecdh_choices[] = {
|
|
||||||
- {"ecdhp160", R_EC_P160},
|
|
||||||
- {"ecdhp192", R_EC_P192},
|
|
||||||
{"ecdhp224", R_EC_P224},
|
|
||||||
{"ecdhp256", R_EC_P256},
|
|
||||||
{"ecdhp384", R_EC_P384},
|
|
||||||
{"ecdhp521", R_EC_P521},
|
|
||||||
-# ifndef OPENSSL_NO_EC2M
|
|
||||||
- {"ecdhk163", R_EC_K163},
|
|
||||||
- {"ecdhk233", R_EC_K233},
|
|
||||||
- {"ecdhk283", R_EC_K283},
|
|
||||||
- {"ecdhk409", R_EC_K409},
|
|
||||||
- {"ecdhk571", R_EC_K571},
|
|
||||||
- {"ecdhb163", R_EC_B163},
|
|
||||||
- {"ecdhb233", R_EC_B233},
|
|
||||||
- {"ecdhb283", R_EC_B283},
|
|
||||||
- {"ecdhb409", R_EC_B409},
|
|
||||||
- {"ecdhb571", R_EC_B571},
|
|
||||||
-# endif
|
|
||||||
- {"ecdhbrp256r1", R_EC_BRP256R1},
|
|
||||||
- {"ecdhbrp256t1", R_EC_BRP256T1},
|
|
||||||
- {"ecdhbrp384r1", R_EC_BRP384R1},
|
|
||||||
- {"ecdhbrp384t1", R_EC_BRP384T1},
|
|
||||||
- {"ecdhbrp512r1", R_EC_BRP512R1},
|
|
||||||
- {"ecdhbrp512t1", R_EC_BRP512T1},
|
|
||||||
{"ecdhx25519", R_EC_X25519},
|
|
||||||
{"ecdhx448", R_EC_X448}
|
|
||||||
};
|
|
||||||
@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv)
|
|
||||||
unsigned int bits;
|
|
||||||
} test_curves[] = {
|
|
||||||
/* Prime Curves */
|
|
||||||
- {"secp160r1", NID_secp160r1, 160},
|
|
||||||
- {"nistp192", NID_X9_62_prime192v1, 192},
|
|
||||||
{"nistp224", NID_secp224r1, 224},
|
|
||||||
{"nistp256", NID_X9_62_prime256v1, 256},
|
|
||||||
{"nistp384", NID_secp384r1, 384},
|
|
||||||
{"nistp521", NID_secp521r1, 521},
|
|
||||||
-# ifndef OPENSSL_NO_EC2M
|
|
||||||
- /* Binary Curves */
|
|
||||||
- {"nistk163", NID_sect163k1, 163},
|
|
||||||
- {"nistk233", NID_sect233k1, 233},
|
|
||||||
- {"nistk283", NID_sect283k1, 283},
|
|
||||||
- {"nistk409", NID_sect409k1, 409},
|
|
||||||
- {"nistk571", NID_sect571k1, 571},
|
|
||||||
- {"nistb163", NID_sect163r2, 163},
|
|
||||||
- {"nistb233", NID_sect233r1, 233},
|
|
||||||
- {"nistb283", NID_sect283r1, 283},
|
|
||||||
- {"nistb409", NID_sect409r1, 409},
|
|
||||||
- {"nistb571", NID_sect571r1, 571},
|
|
||||||
-# endif
|
|
||||||
- {"brainpoolP256r1", NID_brainpoolP256r1, 256},
|
|
||||||
- {"brainpoolP256t1", NID_brainpoolP256t1, 256},
|
|
||||||
- {"brainpoolP384r1", NID_brainpoolP384r1, 384},
|
|
||||||
- {"brainpoolP384t1", NID_brainpoolP384t1, 384},
|
|
||||||
- {"brainpoolP512r1", NID_brainpoolP512r1, 512},
|
|
||||||
- {"brainpoolP512t1", NID_brainpoolP512t1, 512},
|
|
||||||
/* Other and ECDH only ones */
|
|
||||||
{"X25519", NID_X25519, 253},
|
|
||||||
{"X448", NID_X448, 448}
|
|
||||||
@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv)
|
|
||||||
# endif
|
|
||||||
|
|
||||||
# ifndef OPENSSL_NO_EC
|
|
||||||
- ecdsa_c[R_EC_P160][0] = count / 1000;
|
|
||||||
- ecdsa_c[R_EC_P160][1] = count / 1000 / 2;
|
|
||||||
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
|
|
||||||
+ ecdsa_c[R_EC_P224][0] = count / 1000;
|
|
||||||
+ ecdsa_c[R_EC_P224][1] = count / 1000 / 2;
|
|
||||||
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
|
|
||||||
ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2;
|
|
||||||
ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2;
|
|
||||||
if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0)
|
|
||||||
@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
-# ifndef OPENSSL_NO_EC2M
|
|
||||||
+# if 0
|
|
||||||
ecdsa_c[R_EC_K163][0] = count / 1000;
|
|
||||||
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
|
|
||||||
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
|
||||||
@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv)
|
|
||||||
}
|
|
||||||
# endif
|
|
||||||
|
|
||||||
- ecdh_c[R_EC_P160][0] = count / 1000;
|
|
||||||
- for (i = R_EC_P192; i <= R_EC_P521; i++) {
|
|
||||||
+ ecdh_c[R_EC_P224][0] = count / 1000;
|
|
||||||
+ for (i = R_EC_P256; i <= R_EC_P521; i++) {
|
|
||||||
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
|
||||||
if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0)
|
|
||||||
ecdh_doit[i] = 0;
|
|
||||||
@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
-# ifndef OPENSSL_NO_EC2M
|
|
||||||
+# if 0
|
|
||||||
ecdh_c[R_EC_K163][0] = count / 1000;
|
|
||||||
for (i = R_EC_K233; i <= R_EC_K571; i++) {
|
|
||||||
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
|
|
||||||
diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c
|
|
||||||
--- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200
|
|
||||||
+++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100
|
|
||||||
@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (BN_num_bits(p) < 224) {
|
|
||||||
+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (ctx == NULL) {
|
|
||||||
ctx = new_ctx = BN_CTX_new();
|
|
||||||
if (ctx == NULL)
|
|
||||||
diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h
|
|
||||||
--- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100
|
|
||||||
+++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100
|
|
||||||
@@ -32,23 +32,6 @@ typedef struct {
|
|
||||||
} ecdsa_cavs_kat_t;
|
|
||||||
|
|
||||||
static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = {
|
|
||||||
- /* prime KATs from X9.62 */
|
|
||||||
- {NID_X9_62_prime192v1, NID_sha1,
|
|
||||||
- "616263", /* "abc" */
|
|
||||||
- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb",
|
|
||||||
- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e"
|
|
||||||
- "5ca5c0d69716dfcb3474373902",
|
|
||||||
- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e",
|
|
||||||
- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead",
|
|
||||||
- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"},
|
|
||||||
- {NID_X9_62_prime239v1, NID_sha1,
|
|
||||||
- "616263", /* "abc" */
|
|
||||||
- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d",
|
|
||||||
- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e"
|
|
||||||
- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee",
|
|
||||||
- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af",
|
|
||||||
- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0",
|
|
||||||
- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"},
|
|
||||||
/* prime KATs from NIST CAVP */
|
|
||||||
{NID_secp224r1, NID_sha224,
|
|
||||||
"699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1"
|
|
||||||
--- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100
|
|
||||||
+++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100
|
|
||||||
@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport
|
|
||||||
if disabled("ec");
|
|
||||||
|
|
||||||
my @prime_curves = qw(
|
|
||||||
- secp112r1
|
|
||||||
- secp112r2
|
|
||||||
- secp128r1
|
|
||||||
- secp128r2
|
|
||||||
- secp160k1
|
|
||||||
- secp160r1
|
|
||||||
- secp160r2
|
|
||||||
- secp192k1
|
|
||||||
- secp224k1
|
|
||||||
secp224r1
|
|
||||||
secp256k1
|
|
||||||
secp384r1
|
|
||||||
secp521r1
|
|
||||||
- prime192v1
|
|
||||||
- prime192v2
|
|
||||||
- prime192v3
|
|
||||||
- prime239v1
|
|
||||||
- prime239v2
|
|
||||||
- prime239v3
|
|
||||||
prime256v1
|
|
||||||
- wap-wsg-idm-ecid-wtls6
|
|
||||||
- wap-wsg-idm-ecid-wtls7
|
|
||||||
- wap-wsg-idm-ecid-wtls8
|
|
||||||
- wap-wsg-idm-ecid-wtls9
|
|
||||||
- wap-wsg-idm-ecid-wtls12
|
|
||||||
- brainpoolP160r1
|
|
||||||
- brainpoolP160t1
|
|
||||||
- brainpoolP192r1
|
|
||||||
- brainpoolP192t1
|
|
||||||
- brainpoolP224r1
|
|
||||||
- brainpoolP224t1
|
|
||||||
- brainpoolP256r1
|
|
||||||
- brainpoolP256t1
|
|
||||||
- brainpoolP320r1
|
|
||||||
- brainpoolP320t1
|
|
||||||
- brainpoolP384r1
|
|
||||||
- brainpoolP384t1
|
|
||||||
- brainpoolP512r1
|
|
||||||
- brainpoolP512t1
|
|
||||||
);
|
|
||||||
|
|
||||||
my @binary_curves = qw(
|
|
||||||
@@ -115,7 +81,6 @@ push(@other_curves, 'SM2')
|
|
||||||
if !disabled("sm2");
|
|
||||||
|
|
||||||
my @curve_aliases = qw(
|
|
||||||
- P-192
|
|
||||||
P-224
|
|
||||||
P-256
|
|
||||||
P-384
|
|
@ -1,57 +0,0 @@
|
|||||||
diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
|
|
||||||
--- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build 2020-05-18 12:55:53.299548432 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/evp/pkey_kdf.c 2020-05-18 12:55:53.340548788 +0200
|
|
||||||
@@ -12,6 +12,7 @@
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/kdf.h>
|
|
||||||
+#include "internal/numbers.h"
|
|
||||||
#include "crypto/evp.h"
|
|
||||||
|
|
||||||
static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
|
|
||||||
diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
|
|
||||||
--- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build 2020-05-18 12:55:53.340548788 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:57:18.648288904 +0200
|
|
||||||
@@ -13,6 +13,7 @@
|
|
||||||
#include <openssl/hmac.h>
|
|
||||||
#include <openssl/kdf.h>
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
+#include "internal/numbers.h"
|
|
||||||
#include "internal/cryptlib.h"
|
|
||||||
#include "crypto/evp.h"
|
|
||||||
#include "kdf_local.h"
|
|
||||||
diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
|
|
||||||
--- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build 2020-05-18 12:56:05.646655554 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/rand/rand_unix.c 2020-05-18 12:58:51.088090896 +0200
|
|
||||||
@@ -20,7 +20,7 @@
|
|
||||||
#include "crypto/fips.h"
|
|
||||||
#include <stdio.h>
|
|
||||||
#include "internal/dso.h"
|
|
||||||
-#ifdef __linux
|
|
||||||
+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
|
|
||||||
# include <sys/syscall.h>
|
|
||||||
# include <sys/random.h>
|
|
||||||
# ifdef DEVRANDOM_WAIT
|
|
||||||
diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
|
|
||||||
--- openssl-1.1.1g/include/crypto/fips.h.edk2-build 2020-05-18 12:55:53.296548406 +0200
|
|
||||||
+++ openssl-1.1.1g/include/crypto/fips.h 2020-05-18 12:55:53.340548788 +0200
|
|
||||||
@@ -50,10 +50,6 @@
|
|
||||||
#include <openssl/opensslconf.h>
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
|
|
||||||
-#ifndef OPENSSL_FIPS
|
|
||||||
-# error FIPS is disabled.
|
|
||||||
-#endif
|
|
||||||
-
|
|
||||||
#ifdef OPENSSL_FIPS
|
|
||||||
|
|
||||||
int FIPS_module_mode_set(int onoff);
|
|
||||||
@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
|
|
||||||
|
|
||||||
void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
|
|
||||||
|
|
||||||
+#else
|
|
||||||
+
|
|
||||||
+# define fips_in_post() 0
|
|
||||||
+
|
|
||||||
#endif
|
|
File diff suppressed because it is too large
Load Diff
@ -1,408 +0,0 @@
|
|||||||
diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
|
|
||||||
--- openssl-1.1.1g/crypto/rand/build.info.crng-test 2020-04-23 13:30:45.863389837 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:31:55.847069892 +0200
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
LIBS=../../libcrypto
|
|
||||||
SOURCE[../../libcrypto]=\
|
|
||||||
- randfile.c rand_lib.c rand_err.c rand_egd.c \
|
|
||||||
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
|
|
||||||
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
|
|
||||||
|
|
||||||
INCLUDE[drbg_ctr.o]=../modes
|
|
||||||
diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
|
|
||||||
--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test 2020-04-23 13:30:45.818390686 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-23 13:30:45.864389819 +0200
|
|
||||||
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
|
|
||||||
|
|
||||||
|
|
||||||
/* NIST SP 800-90A DRBG recommends the use of a personalization string. */
|
|
||||||
-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
|
|
||||||
+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
|
|
||||||
|
|
||||||
static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
|
|
||||||
|
|
||||||
@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu
|
|
||||||
drbg->parent = parent;
|
|
||||||
|
|
||||||
if (parent == NULL) {
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
+ drbg->get_entropy = rand_crngt_get_entropy;
|
|
||||||
+ drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
|
|
||||||
+#else
|
|
||||||
drbg->get_entropy = rand_drbg_get_entropy;
|
|
||||||
drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
|
|
||||||
+#endif
|
|
||||||
#ifndef RAND_DRBG_GET_RANDOM_NONCE
|
|
||||||
drbg->get_nonce = rand_drbg_get_nonce;
|
|
||||||
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
|
|
||||||
diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
|
|
||||||
--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test 2020-04-23 13:30:45.864389819 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-23 13:30:45.864389819 +0200
|
|
||||||
@@ -0,0 +1,118 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
+ *
|
|
||||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+ * this file except in compliance with the License. You can obtain a copy
|
|
||||||
+ * in the file LICENSE in the source distribution or at
|
|
||||||
+ * https://www.openssl.org/source/license.html
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <openssl/evp.h>
|
|
||||||
+#include "crypto/rand.h"
|
|
||||||
+#include "internal/thread_once.h"
|
|
||||||
+#include "rand_local.h"
|
|
||||||
+
|
|
||||||
+static RAND_POOL *crngt_pool;
|
|
||||||
+static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
|
|
||||||
+
|
|
||||||
+int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)
|
|
||||||
+ = &rand_crngt_get_entropy_cb;
|
|
||||||
+
|
|
||||||
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
|
|
||||||
+ unsigned int *md_size)
|
|
||||||
+{
|
|
||||||
+ int r;
|
|
||||||
+ size_t n;
|
|
||||||
+ unsigned char *p;
|
|
||||||
+
|
|
||||||
+ n = rand_pool_acquire_entropy(crngt_pool);
|
|
||||||
+ if (n >= CRNGT_BUFSIZ) {
|
|
||||||
+ p = rand_pool_detach(crngt_pool);
|
|
||||||
+ r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
|
|
||||||
+ if (r != 0)
|
|
||||||
+ memcpy(buf, p, CRNGT_BUFSIZ);
|
|
||||||
+ rand_pool_reattach(crngt_pool, p);
|
|
||||||
+ return r;
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void rand_crngt_cleanup(void)
|
|
||||||
+{
|
|
||||||
+ rand_pool_free(crngt_pool);
|
|
||||||
+ crngt_pool = NULL;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int rand_crngt_init(void)
|
|
||||||
+{
|
|
||||||
+ unsigned char buf[CRNGT_BUFSIZ];
|
|
||||||
+
|
|
||||||
+ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+ if (crngt_get_entropy(buf, crngt_prev, NULL)) {
|
|
||||||
+ OPENSSL_cleanse(buf, sizeof(buf));
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ rand_crngt_cleanup();
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;
|
|
||||||
+DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)
|
|
||||||
+{
|
|
||||||
+ return OPENSSL_init_crypto(0, NULL)
|
|
||||||
+ && rand_crngt_init()
|
|
||||||
+ && OPENSSL_atexit(&rand_crngt_cleanup);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int rand_crngt_single_init(void)
|
|
||||||
+{
|
|
||||||
+ return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
|
|
||||||
+ unsigned char **pout,
|
|
||||||
+ int entropy, size_t min_len, size_t max_len,
|
|
||||||
+ int prediction_resistance)
|
|
||||||
+{
|
|
||||||
+ unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];
|
|
||||||
+ unsigned int sz;
|
|
||||||
+ RAND_POOL *pool;
|
|
||||||
+ size_t q, r = 0, s, t = 0;
|
|
||||||
+ int attempts = 3;
|
|
||||||
+
|
|
||||||
+ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
|
|
||||||
+ s = q > sizeof(buf) ? sizeof(buf) : q;
|
|
||||||
+ if (!crngt_get_entropy(buf, md, &sz)
|
|
||||||
+ || memcmp(crngt_prev, md, sz) == 0
|
|
||||||
+ || !rand_pool_add(pool, buf, s, s * 8))
|
|
||||||
+ goto err;
|
|
||||||
+ memcpy(crngt_prev, md, sz);
|
|
||||||
+ t += s;
|
|
||||||
+ attempts++;
|
|
||||||
+ }
|
|
||||||
+ r = t;
|
|
||||||
+ *pout = rand_pool_detach(pool);
|
|
||||||
+err:
|
|
||||||
+ OPENSSL_cleanse(buf, sizeof(buf));
|
|
||||||
+ rand_pool_free(pool);
|
|
||||||
+ return r;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
|
|
||||||
+ unsigned char *out, size_t outlen)
|
|
||||||
+{
|
|
||||||
+ OPENSSL_secure_clear_free(out, outlen);
|
|
||||||
+}
|
|
||||||
diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
|
|
||||||
--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test 2020-04-23 13:30:45.470397250 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-23 13:30:45.864389819 +0200
|
|
||||||
@@ -33,7 +33,15 @@
|
|
||||||
# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
|
|
||||||
# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
|
|
||||||
|
|
||||||
-
|
|
||||||
+/*
|
|
||||||
+ * The number of bytes that constitutes an atomic lump of entropy with respect
|
|
||||||
+ * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat
|
|
||||||
+ * arbitrary, the smaller the value, the less entropy is consumed on first
|
|
||||||
+ * read but the higher the probability of the test failing by accident.
|
|
||||||
+ *
|
|
||||||
+ * The value is in bytes.
|
|
||||||
+ */
|
|
||||||
+#define CRNGT_BUFSIZ 16
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
|
||||||
@@ -44,6 +52,8 @@
|
|
||||||
*/
|
|
||||||
# define DRBG_MAX_LENGTH INT32_MAX
|
|
||||||
|
|
||||||
+/* The default nonce */
|
|
||||||
+# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG"
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Maximum allocation size for RANDOM_POOL buffers
|
|
||||||
@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
|
|
||||||
/* initializes the AES-CTR DRBG implementation */
|
|
||||||
int drbg_ctr_init(RAND_DRBG *drbg);
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
|
|
||||||
+ * These need to be exposed for the unit tests.
|
|
||||||
+ */
|
|
||||||
+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
|
|
||||||
+ unsigned int *md_size);
|
|
||||||
+extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,
|
|
||||||
+ unsigned int *md_size);
|
|
||||||
+int rand_crngt_init(void);
|
|
||||||
+void rand_crngt_cleanup(void);
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Expose the run once initialisation function for the unit tests because.
|
|
||||||
+ * they need to restart from scratch to validate the first block is skipped
|
|
||||||
+ * properly.
|
|
||||||
+ */
|
|
||||||
+int rand_crngt_single_init(void);
|
|
||||||
+
|
|
||||||
#endif
|
|
||||||
diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
|
|
||||||
--- openssl-1.1.1g/include/crypto/rand.h.crng-test 2020-04-23 13:30:45.824390573 +0200
|
|
||||||
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:30:45.864389819 +0200
|
|
||||||
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
|
|
||||||
|
|
||||||
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
|
|
||||||
|
|
||||||
+/* CRNG test entropy filter callbacks. */
|
|
||||||
+size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
|
|
||||||
+ unsigned char **pout,
|
|
||||||
+ int entropy, size_t min_len, size_t max_len,
|
|
||||||
+ int prediction_resistance);
|
|
||||||
+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
|
|
||||||
+ unsigned char *out, size_t outlen);
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* RAND_POOL functions
|
|
||||||
*/
|
|
||||||
diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
|
|
||||||
--- openssl-1.1.1g/test/drbgtest.c.crng-test 2020-04-21 14:22:39.000000000 +0200
|
|
||||||
+++ openssl-1.1.1g/test/drbgtest.c 2020-04-23 13:30:45.865389800 +0200
|
|
||||||
@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
|
|
||||||
return t->noncelen;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /*
|
|
||||||
+ * Disable CRNG testing if it is enabled.
|
|
||||||
+ * If the DRBG is ready or in an error state, this means an instantiate cycle
|
|
||||||
+ * for which the default personalisation string is used.
|
|
||||||
+ */
|
|
||||||
+static int disable_crngt(RAND_DRBG *drbg)
|
|
||||||
+{
|
|
||||||
+ static const char pers[] = DRBG_DEFAULT_PERS_STRING;
|
|
||||||
+ const int instantiate = drbg->state != DRBG_UNINITIALISED;
|
|
||||||
+
|
|
||||||
+ if (drbg->get_entropy != rand_crngt_get_entropy)
|
|
||||||
+ return 1;
|
|
||||||
+
|
|
||||||
+ if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
|
|
||||||
+ || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
|
|
||||||
+ &rand_drbg_cleanup_entropy,
|
|
||||||
+ &rand_drbg_get_nonce,
|
|
||||||
+ &rand_drbg_cleanup_nonce))
|
|
||||||
+ || (instantiate
|
|
||||||
+ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
|
|
||||||
+ sizeof(pers) - 1)))
|
|
||||||
+ return 0;
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int uninstantiate(RAND_DRBG *drbg)
|
|
||||||
{
|
|
||||||
int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
|
|
||||||
@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
|
|
||||||
if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
|
|
||||||
return 0;
|
|
||||||
if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
|
||||||
- kat_nonce, NULL))) {
|
|
||||||
+ kat_nonce, NULL))
|
|
||||||
+ || !TEST_true(disable_crngt(drbg))) {
|
|
||||||
failures++;
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
|
|
||||||
unsigned int reseed_counter_tmp;
|
|
||||||
int ret = 0;
|
|
||||||
|
|
||||||
- if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
|
|
||||||
+ if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))
|
|
||||||
+ || !TEST_true(disable_crngt(drbg)))
|
|
||||||
goto err;
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
|
|
||||||
|| !TEST_ptr_eq(private->parent, master))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
+ /* Disable CRNG testing for the master DRBG */
|
|
||||||
+ if (!TEST_true(disable_crngt(master)))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
/* uninstantiate the three global DRBGs */
|
|
||||||
RAND_DRBG_uninstantiate(private);
|
|
||||||
RAND_DRBG_uninstantiate(public);
|
|
||||||
@@ -964,7 +995,8 @@ static int test_rand_seed(void)
|
|
||||||
size_t rand_buflen;
|
|
||||||
size_t required_seed_buflen = 0;
|
|
||||||
|
|
||||||
- if (!TEST_ptr(master = RAND_DRBG_get0_master()))
|
|
||||||
+ if (!TEST_ptr(master = RAND_DRBG_get0_master())
|
|
||||||
+ || !TEST_true(disable_crngt(master)))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
#ifdef OPENSSL_RAND_SEED_NONE
|
|
||||||
@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * A list of the FIPS DRGB types.
|
|
||||||
+ */
|
|
||||||
+static const struct s_drgb_types {
|
|
||||||
+ int nid;
|
|
||||||
+ int flags;
|
|
||||||
+} drgb_types[] = {
|
|
||||||
+ { NID_aes_128_ctr, 0 },
|
|
||||||
+ { NID_aes_192_ctr, 0 },
|
|
||||||
+ { NID_aes_256_ctr, 0 },
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+/* Six cases for each covers seed sizes up to 32 bytes */
|
|
||||||
+static const size_t crngt_num_cases = 6;
|
|
||||||
+
|
|
||||||
+static size_t crngt_case, crngt_idx;
|
|
||||||
+
|
|
||||||
+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
|
|
||||||
+ unsigned int *md_size)
|
|
||||||
+{
|
|
||||||
+ size_t i, z;
|
|
||||||
+
|
|
||||||
+ if (!TEST_int_lt(crngt_idx, crngt_num_cases))
|
|
||||||
+ return 0;
|
|
||||||
+ /* Generate a block of unique data unless this is the duplication point */
|
|
||||||
+ z = crngt_idx++;
|
|
||||||
+ if (z > 0 && crngt_case == z)
|
|
||||||
+ z--;
|
|
||||||
+ for (i = 0; i < CRNGT_BUFSIZ; i++)
|
|
||||||
+ buf[i] = (unsigned char)(i + 'A' + z);
|
|
||||||
+ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int test_crngt(int n)
|
|
||||||
+{
|
|
||||||
+ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
|
|
||||||
+ RAND_DRBG *drbg = NULL;
|
|
||||||
+ unsigned char buff[100];
|
|
||||||
+ size_t ent;
|
|
||||||
+ int res = 0;
|
|
||||||
+ int expect;
|
|
||||||
+
|
|
||||||
+ if (!TEST_true(rand_crngt_single_init()))
|
|
||||||
+ return 0;
|
|
||||||
+ rand_crngt_cleanup();
|
|
||||||
+
|
|
||||||
+ if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
|
|
||||||
+ return 0;
|
|
||||||
+ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
|
|
||||||
+ crngt_case = n % crngt_num_cases;
|
|
||||||
+ crngt_idx = 0;
|
|
||||||
+ crngt_get_entropy = &crngt_entropy_cb;
|
|
||||||
+ if (!TEST_true(rand_crngt_init()))
|
|
||||||
+ goto err;
|
|
||||||
+#ifndef OPENSSL_FIPS
|
|
||||||
+ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
|
|
||||||
+ &rand_crngt_cleanup_entropy,
|
|
||||||
+ &rand_drbg_get_nonce,
|
|
||||||
+ &rand_drbg_cleanup_nonce)))
|
|
||||||
+ goto err;
|
|
||||||
+#endif
|
|
||||||
+ expect = crngt_case == 0 || crngt_case > ent;
|
|
||||||
+ if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))
|
|
||||||
+ goto err;
|
|
||||||
+ if (!expect)
|
|
||||||
+ goto fin;
|
|
||||||
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+ expect = crngt_case == 0 || crngt_case > 2 * ent;
|
|
||||||
+ if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))
|
|
||||||
+ goto err;
|
|
||||||
+ if (!expect)
|
|
||||||
+ goto fin;
|
|
||||||
+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
|
|
||||||
+ goto err;
|
|
||||||
+
|
|
||||||
+fin:
|
|
||||||
+ res = 1;
|
|
||||||
+err:
|
|
||||||
+ if (!res)
|
|
||||||
+ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
|
|
||||||
+ crngt_case, crngt_idx);
|
|
||||||
+ uninstantiate(drbg);
|
|
||||||
+ RAND_DRBG_free(drbg);
|
|
||||||
+ crngt_get_entropy = &rand_crngt_get_entropy_cb;
|
|
||||||
+ return res;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int setup_tests(void)
|
|
||||||
{
|
|
||||||
app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
|
|
||||||
@@ -1025,5 +1146,6 @@ int setup_tests(void)
|
|
||||||
#if defined(OPENSSL_THREADS)
|
|
||||||
ADD_TEST(test_multi_thread);
|
|
||||||
#endif
|
|
||||||
+ ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));
|
|
||||||
return 1;
|
|
||||||
}
|
|
@ -1,200 +0,0 @@
|
|||||||
diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
|
|
||||||
--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200
|
|
||||||
@@ -13,6 +13,7 @@
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/obj_mac.h>
|
|
||||||
#include <openssl/opensslconf.h>
|
|
||||||
+#include <openssl/crypto.h>
|
|
||||||
#include "internal/nelem.h"
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
@@ -237,6 +238,7 @@ static const struct {
|
|
||||||
|
|
||||||
typedef struct _ec_list_element_st {
|
|
||||||
int nid;
|
|
||||||
+ int fips_allowed;
|
|
||||||
const EC_CURVE_DATA *data;
|
|
||||||
const EC_METHOD *(*meth) (void);
|
|
||||||
const char *comment;
|
|
||||||
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
|
|
||||||
/* prime field curves */
|
|
||||||
/* secg curves */
|
|
||||||
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
|
|
||||||
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
|
||||||
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
|
|
||||||
"NIST/SECG curve over a 224 bit prime field"},
|
|
||||||
#else
|
|
||||||
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
|
|
||||||
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
|
|
||||||
"NIST/SECG curve over a 224 bit prime field"},
|
|
||||||
#endif
|
|
||||||
- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
|
|
||||||
+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
|
|
||||||
"SECG curve over a 256 bit prime field"},
|
|
||||||
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
|
|
||||||
- {NID_secp384r1, &_EC_NIST_PRIME_384.h,
|
|
||||||
+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
|
|
||||||
# if defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp384_method,
|
|
||||||
# else
|
|
||||||
0,
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 384 bit prime field"},
|
|
||||||
- {NID_secp521r1, &_EC_NIST_PRIME_521.h,
|
|
||||||
+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
|
|
||||||
# if defined(S390X_EC_ASM)
|
|
||||||
EC_GFp_s390x_nistp521_method,
|
|
||||||
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
|
|
||||||
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
|
|
||||||
# endif
|
|
||||||
"NIST/SECG curve over a 521 bit prime field"},
|
|
||||||
/* X9.62 curves */
|
|
||||||
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
|
|
||||||
+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
|
|
||||||
#if defined(ECP_NISTZ256_ASM)
|
|
||||||
EC_GFp_nistz256_method,
|
|
||||||
# elif defined(S390X_EC_ASM)
|
|
||||||
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
|
||||||
|
|
||||||
for (i = 0; i < curve_list_length; i++)
|
|
||||||
if (curve_list[i].nid == nid) {
|
|
||||||
+ if (!curve_list[i].fips_allowed && FIPS_mode()) {
|
|
||||||
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
ret = ec_group_new_from_data(curve_list[i]);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
|
|
||||||
|
|
||||||
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
|
|
||||||
{
|
|
||||||
- size_t i, min;
|
|
||||||
+ size_t i, j, num;
|
|
||||||
+ int fips_mode = FIPS_mode();
|
|
||||||
|
|
||||||
- if (r == NULL || nitems == 0)
|
|
||||||
- return curve_list_length;
|
|
||||||
+ num = curve_list_length;
|
|
||||||
+ if (fips_mode)
|
|
||||||
+ for (i = 0; i < curve_list_length; i++) {
|
|
||||||
+ if (!curve_list[i].fips_allowed)
|
|
||||||
+ --num;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- min = nitems < curve_list_length ? nitems : curve_list_length;
|
|
||||||
+ if (r == NULL || nitems == 0) {
|
|
||||||
+ return num;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- for (i = 0; i < min; i++) {
|
|
||||||
- r[i].nid = curve_list[i].nid;
|
|
||||||
- r[i].comment = curve_list[i].comment;
|
|
||||||
+ for (i = 0, j = 0; i < curve_list_length; i++) {
|
|
||||||
+ if (j >= nitems)
|
|
||||||
+ break;
|
|
||||||
+ if (!fips_mode || curve_list[i].fips_allowed) {
|
|
||||||
+ r[j].nid = curve_list[i].nid;
|
|
||||||
+ r[j].comment = curve_list[i].comment;
|
|
||||||
+ ++j;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
- return curve_list_length;
|
|
||||||
+ return num;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Functions to translate between common NIST curve names and NIDs */
|
|
||||||
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
|
|
||||||
--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200
|
|
||||||
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200
|
|
||||||
@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
|
|
||||||
#endif
|
|
||||||
};
|
|
||||||
|
|
||||||
+static const uint16_t tls12_fips_sigalgs[] = {
|
|
||||||
+#ifndef OPENSSL_NO_EC
|
|
||||||
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
|
||||||
+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
|
|
||||||
+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha256,
|
|
||||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha384,
|
|
||||||
+ TLSEXT_SIGALG_rsa_pss_pss_sha512,
|
|
||||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha256,
|
|
||||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha384,
|
|
||||||
+ TLSEXT_SIGALG_rsa_pss_rsae_sha512,
|
|
||||||
+
|
|
||||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha256,
|
|
||||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha384,
|
|
||||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha512,
|
|
||||||
+
|
|
||||||
+#ifndef OPENSSL_NO_EC
|
|
||||||
+ TLSEXT_SIGALG_ecdsa_sha224,
|
|
||||||
+#endif
|
|
||||||
+ TLSEXT_SIGALG_rsa_pkcs1_sha224,
|
|
||||||
+#ifndef OPENSSL_NO_DSA
|
|
||||||
+ TLSEXT_SIGALG_dsa_sha224,
|
|
||||||
+ TLSEXT_SIGALG_dsa_sha256,
|
|
||||||
+ TLSEXT_SIGALG_dsa_sha384,
|
|
||||||
+ TLSEXT_SIGALG_dsa_sha512,
|
|
||||||
+#endif
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
static const uint16_t suiteb_sigalgs[] = {
|
|
||||||
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
|
|
||||||
@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
|
|
||||||
}
|
|
||||||
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
|
|
||||||
return NULL;
|
|
||||||
+ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
|
|
||||||
+ return NULL;
|
|
||||||
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
|
|
||||||
const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
|
|
||||||
|
|
||||||
@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
|
|
||||||
} else if (s->cert->conf_sigalgs) {
|
|
||||||
*psigs = s->cert->conf_sigalgs;
|
|
||||||
return s->cert->conf_sigalgslen;
|
|
||||||
+ } else if (FIPS_mode()) {
|
|
||||||
+ *psigs = tls12_fips_sigalgs;
|
|
||||||
+ return OSSL_NELEM(tls12_fips_sigalgs);
|
|
||||||
} else {
|
|
||||||
*psigs = tls12_sigalgs;
|
|
||||||
return OSSL_NELEM(tls12_sigalgs);
|
|
||||||
@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
|
|
||||||
if (s->cert->conf_sigalgs) {
|
|
||||||
sigs = s->cert->conf_sigalgs;
|
|
||||||
siglen = s->cert->conf_sigalgslen;
|
|
||||||
+ } else if (FIPS_mode()) {
|
|
||||||
+ sigs = tls12_fips_sigalgs;
|
|
||||||
+ siglen = OSSL_NELEM(tls12_fips_sigalgs);
|
|
||||||
} else {
|
|
||||||
sigs = tls12_sigalgs;
|
|
||||||
siglen = OSSL_NELEM(tls12_sigalgs);
|
|
||||||
@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
|
|
||||||
if (lu->sig == NID_id_GostR3410_2012_256
|
|
||||||
|| lu->sig == NID_id_GostR3410_2012_512
|
|
||||||
|| lu->sig == NID_id_GostR3410_2001) {
|
|
||||||
+ if (FIPS_mode())
|
|
||||||
+ return 0;
|
|
||||||
/* We never allow GOST sig algs on the server with TLSv1.3 */
|
|
||||||
if (s->server && SSL_IS_TLS13(s))
|
|
||||||
return 0;
|
|
||||||
@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
|
|
||||||
const uint16_t *sent_sigs;
|
|
||||||
size_t sent_sigslen;
|
|
||||||
|
|
||||||
+ if (fatalerrs && FIPS_mode()) {
|
|
||||||
+ /* There are no suitable legacy algorithms in FIPS mode */
|
|
||||||
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
|
|
||||||
+ SSL_F_TLS_CHOOSE_SIGALG,
|
|
||||||
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
|
|
||||||
if (!fatalerrs)
|
|
||||||
return 1;
|
|
File diff suppressed because it is too large
Load Diff
@ -1,587 +0,0 @@
|
|||||||
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c
|
|
||||||
--- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest 2020-04-23 13:33:12.500624151 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-04-23 13:33:12.618621925 +0200
|
|
||||||
@@ -67,12 +67,18 @@
|
|
||||||
|
|
||||||
# include <openssl/fips.h>
|
|
||||||
# include "crypto/fips.h"
|
|
||||||
+# include "crypto/rand.h"
|
|
||||||
# include "fips_locl.h"
|
|
||||||
|
|
||||||
/* Run all selftests */
|
|
||||||
int FIPS_selftest(void)
|
|
||||||
{
|
|
||||||
int rv = 1;
|
|
||||||
+ if (!rand_drbg_selftest()) {
|
|
||||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_TEST_FAILURE);
|
|
||||||
+ ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
|
|
||||||
+ rv = 0;
|
|
||||||
+ }
|
|
||||||
if (!FIPS_selftest_drbg())
|
|
||||||
rv = 0;
|
|
||||||
if (!FIPS_selftest_sha1())
|
|
||||||
diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info
|
|
||||||
--- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:34:10.857523497 +0200
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
LIBS=../../libcrypto
|
|
||||||
SOURCE[../../libcrypto]=\
|
|
||||||
randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
|
|
||||||
- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
|
|
||||||
+ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
|
|
||||||
|
|
||||||
INCLUDE[drbg_ctr.o]=../modes
|
|
||||||
diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c
|
|
||||||
--- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/rand/drbg_selftest.c 2020-04-23 13:33:12.619621907 +0200
|
|
||||||
@@ -0,0 +1,537 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+ *
|
|
||||||
+ * Licensed under the OpenSSL license (the "License"). You may not use
|
|
||||||
+ * this file except in compliance with the License. You can obtain a copy
|
|
||||||
+ * in the file LICENSE in the source distribution or at
|
|
||||||
+ * https://www.openssl.org/source/license.html
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <stddef.h>
|
|
||||||
+#include "internal/nelem.h"
|
|
||||||
+#include <openssl/crypto.h>
|
|
||||||
+#include <openssl/err.h>
|
|
||||||
+#include <openssl/rand_drbg.h>
|
|
||||||
+#include <openssl/obj_mac.h>
|
|
||||||
+#include "internal/thread_once.h"
|
|
||||||
+#include "crypto/rand.h"
|
|
||||||
+
|
|
||||||
+typedef struct test_ctx_st {
|
|
||||||
+ const unsigned char *entropy;
|
|
||||||
+ size_t entropylen;
|
|
||||||
+ int entropycnt;
|
|
||||||
+ const unsigned char *nonce;
|
|
||||||
+ size_t noncelen;
|
|
||||||
+ int noncecnt;
|
|
||||||
+} TEST_CTX;
|
|
||||||
+
|
|
||||||
+static int app_data_index = -1;
|
|
||||||
+static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT;
|
|
||||||
+DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init)
|
|
||||||
+{
|
|
||||||
+ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+enum drbg_kat_type {
|
|
||||||
+ NO_RESEED,
|
|
||||||
+ PR_FALSE,
|
|
||||||
+ PR_TRUE
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+enum drbg_df {
|
|
||||||
+ USE_DF,
|
|
||||||
+ NO_DF,
|
|
||||||
+ NA
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+struct drbg_kat_no_reseed {
|
|
||||||
+ size_t count;
|
|
||||||
+ const unsigned char *entropyin;
|
|
||||||
+ const unsigned char *nonce;
|
|
||||||
+ const unsigned char *persstr;
|
|
||||||
+ const unsigned char *addin1;
|
|
||||||
+ const unsigned char *addin2;
|
|
||||||
+ const unsigned char *retbytes;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+struct drbg_kat_pr_false {
|
|
||||||
+ size_t count;
|
|
||||||
+ const unsigned char *entropyin;
|
|
||||||
+ const unsigned char *nonce;
|
|
||||||
+ const unsigned char *persstr;
|
|
||||||
+ const unsigned char *entropyinreseed;
|
|
||||||
+ const unsigned char *addinreseed;
|
|
||||||
+ const unsigned char *addin1;
|
|
||||||
+ const unsigned char *addin2;
|
|
||||||
+ const unsigned char *retbytes;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+struct drbg_kat_pr_true {
|
|
||||||
+ size_t count;
|
|
||||||
+ const unsigned char *entropyin;
|
|
||||||
+ const unsigned char *nonce;
|
|
||||||
+ const unsigned char *persstr;
|
|
||||||
+ const unsigned char *entropyinpr1;
|
|
||||||
+ const unsigned char *addin1;
|
|
||||||
+ const unsigned char *entropyinpr2;
|
|
||||||
+ const unsigned char *addin2;
|
|
||||||
+ const unsigned char *retbytes;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+struct drbg_kat {
|
|
||||||
+ enum drbg_kat_type type;
|
|
||||||
+ enum drbg_df df;
|
|
||||||
+ int nid;
|
|
||||||
+
|
|
||||||
+ size_t entropyinlen;
|
|
||||||
+ size_t noncelen;
|
|
||||||
+ size_t persstrlen;
|
|
||||||
+ size_t addinlen;
|
|
||||||
+ size_t retbyteslen;
|
|
||||||
+
|
|
||||||
+ const void *t;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Excerpt from test/drbg_cavs_data.c
|
|
||||||
+ * DRBG test vectors from:
|
|
||||||
+ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+static const unsigned char kat1308_entropyin[] = {
|
|
||||||
+ 0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c,
|
|
||||||
+ 0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7,
|
|
||||||
+ 0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97,
|
|
||||||
+ 0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat1308_nonce[] = {0};
|
|
||||||
+static const unsigned char kat1308_persstr[] = {
|
|
||||||
+ 0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2,
|
|
||||||
+ 0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39,
|
|
||||||
+ 0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45,
|
|
||||||
+ 0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat1308_addin0[] = {
|
|
||||||
+ 0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e,
|
|
||||||
+ 0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a,
|
|
||||||
+ 0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a,
|
|
||||||
+ 0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat1308_addin1[] = {
|
|
||||||
+ 0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19,
|
|
||||||
+ 0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a,
|
|
||||||
+ 0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e,
|
|
||||||
+ 0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat1308_retbits[] = {
|
|
||||||
+ 0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2,
|
|
||||||
+ 0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92,
|
|
||||||
+ 0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f,
|
|
||||||
+ 0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63,
|
|
||||||
+ 0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53,
|
|
||||||
+ 0x26, 0x32, 0xd0, 0xb8,
|
|
||||||
+};
|
|
||||||
+static const struct drbg_kat_no_reseed kat1308_t = {
|
|
||||||
+ 2, kat1308_entropyin, kat1308_nonce, kat1308_persstr,
|
|
||||||
+ kat1308_addin0, kat1308_addin1, kat1308_retbits
|
|
||||||
+};
|
|
||||||
+static const struct drbg_kat kat1308 = {
|
|
||||||
+ NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const unsigned char kat1465_entropyin[] = {
|
|
||||||
+ 0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64,
|
|
||||||
+ 0x87, 0xbe, 0xaa, 0xc0,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat1465_nonce[] = {
|
|
||||||
+ 0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat1465_persstr[] = {0};
|
|
||||||
+static const unsigned char kat1465_entropyinreseed[] = {
|
|
||||||
+ 0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5,
|
|
||||||
+ 0x1f, 0x4b, 0x7b, 0x51,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat1465_addinreseed[] = {
|
|
||||||
+ 0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12,
|
|
||||||
+ 0x61, 0x9f, 0x26, 0x5f,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat1465_addin0[] = {
|
|
||||||
+ 0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6,
|
|
||||||
+ 0x10, 0x5a, 0x73, 0x9c,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat1465_addin1[] = {
|
|
||||||
+ 0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18,
|
|
||||||
+ 0x47, 0x99, 0x1f, 0xeb,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat1465_retbits[] = {
|
|
||||||
+ 0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d,
|
|
||||||
+ 0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb,
|
|
||||||
+ 0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52,
|
|
||||||
+ 0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e,
|
|
||||||
+ 0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41,
|
|
||||||
+ 0x58, 0xdb, 0x27, 0xba,
|
|
||||||
+};
|
|
||||||
+static const struct drbg_kat_pr_false kat1465_t = {
|
|
||||||
+ 9, kat1465_entropyin, kat1465_nonce, kat1465_persstr,
|
|
||||||
+ kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0,
|
|
||||||
+ kat1465_addin1, kat1465_retbits
|
|
||||||
+};
|
|
||||||
+static const struct drbg_kat kat1465 = {
|
|
||||||
+ PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const unsigned char kat3146_entropyin[] = {
|
|
||||||
+ 0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3,
|
|
||||||
+ 0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat3146_nonce[] = {
|
|
||||||
+ 0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3,
|
|
||||||
+ 0x50, 0x86, 0xca, 0xca,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat3146_persstr[] = {0};
|
|
||||||
+static const unsigned char kat3146_entropyinpr1[] = {
|
|
||||||
+ 0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda,
|
|
||||||
+ 0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat3146_addinpr1[] = {
|
|
||||||
+ 0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1,
|
|
||||||
+ 0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90,
|
|
||||||
+ 0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat3146_entropyinpr2[] = {
|
|
||||||
+ 0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7,
|
|
||||||
+ 0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat3146_addinpr2[] = {
|
|
||||||
+ 0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c,
|
|
||||||
+ 0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3,
|
|
||||||
+ 0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6,
|
|
||||||
+};
|
|
||||||
+static const unsigned char kat3146_retbits[] = {
|
|
||||||
+ 0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f,
|
|
||||||
+ 0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28,
|
|
||||||
+ 0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76,
|
|
||||||
+ 0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87,
|
|
||||||
+ 0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45,
|
|
||||||
+ 0xd4, 0x30, 0x73, 0xbb,
|
|
||||||
+};
|
|
||||||
+static const struct drbg_kat_pr_true kat3146_t = {
|
|
||||||
+ 10, kat3146_entropyin, kat3146_nonce, kat3146_persstr,
|
|
||||||
+ kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2,
|
|
||||||
+ kat3146_addinpr2, kat3146_retbits
|
|
||||||
+};
|
|
||||||
+static const struct drbg_kat kat3146 = {
|
|
||||||
+ PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 };
|
|
||||||
+
|
|
||||||
+static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test);
|
|
||||||
+
|
|
||||||
+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
|
|
||||||
+ int entropy, size_t min_len, size_t max_len,
|
|
||||||
+ int prediction_resistance)
|
|
||||||
+{
|
|
||||||
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
|
|
||||||
+
|
|
||||||
+ t->entropycnt++;
|
|
||||||
+ *pout = (unsigned char *)t->entropy;
|
|
||||||
+ return t->entropylen;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
|
|
||||||
+ int entropy, size_t min_len, size_t max_len)
|
|
||||||
+{
|
|
||||||
+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
|
|
||||||
+
|
|
||||||
+ t->noncecnt++;
|
|
||||||
+ *pout = (unsigned char *)t->nonce;
|
|
||||||
+ return t->noncelen;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Do a single NO_RESEED KAT:
|
|
||||||
+ *
|
|
||||||
+ * Instantiate
|
|
||||||
+ * Generate Random Bits (pr=false)
|
|
||||||
+ * Generate Random Bits (pr=false)
|
|
||||||
+ * Uninstantiate
|
|
||||||
+ *
|
|
||||||
+ * Return 0 on failure.
|
|
||||||
+ */
|
|
||||||
+static int single_kat_no_reseed(const struct drbg_kat *td)
|
|
||||||
+{
|
|
||||||
+ struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t;
|
|
||||||
+ RAND_DRBG *drbg = NULL;
|
|
||||||
+ unsigned char *buff = NULL;
|
|
||||||
+ unsigned int flags = 0;
|
|
||||||
+ int failures = 0;
|
|
||||||
+ TEST_CTX t;
|
|
||||||
+
|
|
||||||
+ if (td->df != USE_DF)
|
|
||||||
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
|
||||||
+
|
|
||||||
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
|
||||||
+ kat_nonce, NULL)) {
|
|
||||||
+ failures++;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ memset(&t, 0, sizeof(t));
|
|
||||||
+ t.entropy = data->entropyin;
|
|
||||||
+ t.entropylen = td->entropyinlen;
|
|
||||||
+ t.nonce = data->nonce;
|
|
||||||
+ t.noncelen = td->noncelen;
|
|
||||||
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
|
||||||
+
|
|
||||||
+ buff = OPENSSL_malloc(td->retbyteslen);
|
|
||||||
+ if (buff == NULL) {
|
|
||||||
+ failures++;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)
|
|
||||||
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
|
||||||
+ data->addin1, td->addinlen)
|
|
||||||
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
|
||||||
+ data->addin2, td->addinlen)
|
|
||||||
+ || memcmp(data->retbytes, buff,
|
|
||||||
+ td->retbyteslen) != 0)
|
|
||||||
+ failures++;
|
|
||||||
+
|
|
||||||
+err:
|
|
||||||
+ OPENSSL_free(buff);
|
|
||||||
+ RAND_DRBG_uninstantiate(drbg);
|
|
||||||
+ RAND_DRBG_free(drbg);
|
|
||||||
+ return failures == 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*-
|
|
||||||
+ * Do a single PR_FALSE KAT:
|
|
||||||
+ *
|
|
||||||
+ * Instantiate
|
|
||||||
+ * Reseed
|
|
||||||
+ * Generate Random Bits (pr=false)
|
|
||||||
+ * Generate Random Bits (pr=false)
|
|
||||||
+ * Uninstantiate
|
|
||||||
+ *
|
|
||||||
+ * Return 0 on failure.
|
|
||||||
+ */
|
|
||||||
+static int single_kat_pr_false(const struct drbg_kat *td)
|
|
||||||
+{
|
|
||||||
+ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
|
|
||||||
+ RAND_DRBG *drbg = NULL;
|
|
||||||
+ unsigned char *buff = NULL;
|
|
||||||
+ unsigned int flags = 0;
|
|
||||||
+ int failures = 0;
|
|
||||||
+ TEST_CTX t;
|
|
||||||
+
|
|
||||||
+ if (td->df != USE_DF)
|
|
||||||
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
|
||||||
+
|
|
||||||
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
|
||||||
+ kat_nonce, NULL)) {
|
|
||||||
+ failures++;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ memset(&t, 0, sizeof(t));
|
|
||||||
+ t.entropy = data->entropyin;
|
|
||||||
+ t.entropylen = td->entropyinlen;
|
|
||||||
+ t.nonce = data->nonce;
|
|
||||||
+ t.noncelen = td->noncelen;
|
|
||||||
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
|
||||||
+
|
|
||||||
+ buff = OPENSSL_malloc(td->retbyteslen);
|
|
||||||
+ if (buff == NULL) {
|
|
||||||
+ failures++;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
|
|
||||||
+ failures++;
|
|
||||||
+
|
|
||||||
+ t.entropy = data->entropyinreseed;
|
|
||||||
+ t.entropylen = td->entropyinlen;
|
|
||||||
+
|
|
||||||
+ if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0)
|
|
||||||
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
|
||||||
+ data->addin1, td->addinlen)
|
|
||||||
+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
|
|
||||||
+ data->addin2, td->addinlen)
|
|
||||||
+ || memcmp(data->retbytes, buff,
|
|
||||||
+ td->retbyteslen) != 0)
|
|
||||||
+ failures++;
|
|
||||||
+
|
|
||||||
+err:
|
|
||||||
+ OPENSSL_free(buff);
|
|
||||||
+ RAND_DRBG_uninstantiate(drbg);
|
|
||||||
+ RAND_DRBG_free(drbg);
|
|
||||||
+ return failures == 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*-
|
|
||||||
+ * Do a single PR_TRUE KAT:
|
|
||||||
+ *
|
|
||||||
+ * Instantiate
|
|
||||||
+ * Generate Random Bits (pr=true)
|
|
||||||
+ * Generate Random Bits (pr=true)
|
|
||||||
+ * Uninstantiate
|
|
||||||
+ *
|
|
||||||
+ * Return 0 on failure.
|
|
||||||
+ */
|
|
||||||
+static int single_kat_pr_true(const struct drbg_kat *td)
|
|
||||||
+{
|
|
||||||
+ struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t;
|
|
||||||
+ RAND_DRBG *drbg = NULL;
|
|
||||||
+ unsigned char *buff = NULL;
|
|
||||||
+ unsigned int flags = 0;
|
|
||||||
+ int failures = 0;
|
|
||||||
+ TEST_CTX t;
|
|
||||||
+
|
|
||||||
+ if (td->df != USE_DF)
|
|
||||||
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
|
||||||
+
|
|
||||||
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
|
||||||
+ kat_nonce, NULL)) {
|
|
||||||
+ failures++;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ memset(&t, 0, sizeof(t));
|
|
||||||
+ t.nonce = data->nonce;
|
|
||||||
+ t.noncelen = td->noncelen;
|
|
||||||
+ t.entropy = data->entropyin;
|
|
||||||
+ t.entropylen = td->entropyinlen;
|
|
||||||
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
|
||||||
+
|
|
||||||
+ buff = OPENSSL_malloc(td->retbyteslen);
|
|
||||||
+ if (buff == NULL) {
|
|
||||||
+ failures++;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
|
|
||||||
+ failures++;
|
|
||||||
+
|
|
||||||
+ t.entropy = data->entropyinpr1;
|
|
||||||
+ t.entropylen = td->entropyinlen;
|
|
||||||
+
|
|
||||||
+ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
|
|
||||||
+ data->addin1, td->addinlen))
|
|
||||||
+ failures++;
|
|
||||||
+
|
|
||||||
+ t.entropy = data->entropyinpr2;
|
|
||||||
+ t.entropylen = td->entropyinlen;
|
|
||||||
+
|
|
||||||
+ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
|
|
||||||
+ data->addin2, td->addinlen)
|
|
||||||
+ || memcmp(data->retbytes, buff,
|
|
||||||
+ td->retbyteslen) != 0)
|
|
||||||
+ failures++;
|
|
||||||
+
|
|
||||||
+err:
|
|
||||||
+ OPENSSL_free(buff);
|
|
||||||
+ RAND_DRBG_uninstantiate(drbg);
|
|
||||||
+ RAND_DRBG_free(drbg);
|
|
||||||
+ return failures == 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int test_kats(int i)
|
|
||||||
+{
|
|
||||||
+ const struct drbg_kat *td = drbg_test[i];
|
|
||||||
+ int rv = 0;
|
|
||||||
+
|
|
||||||
+ switch (td->type) {
|
|
||||||
+ case NO_RESEED:
|
|
||||||
+ if (!single_kat_no_reseed(td))
|
|
||||||
+ goto err;
|
|
||||||
+ break;
|
|
||||||
+ case PR_FALSE:
|
|
||||||
+ if (!single_kat_pr_false(td))
|
|
||||||
+ goto err;
|
|
||||||
+ break;
|
|
||||||
+ case PR_TRUE:
|
|
||||||
+ if (!single_kat_pr_true(td))
|
|
||||||
+ goto err;
|
|
||||||
+ break;
|
|
||||||
+ default: /* cant happen */
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ rv = 1;
|
|
||||||
+err:
|
|
||||||
+ return rv;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*-
|
|
||||||
+ * Do one expected-error test:
|
|
||||||
+ *
|
|
||||||
+ * Instantiate with no entropy supplied
|
|
||||||
+ *
|
|
||||||
+ * Return 0 on failure.
|
|
||||||
+ */
|
|
||||||
+static int test_drbg_sanity(const struct drbg_kat *td)
|
|
||||||
+{
|
|
||||||
+ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
|
|
||||||
+ RAND_DRBG *drbg = NULL;
|
|
||||||
+ unsigned int flags = 0;
|
|
||||||
+ int failures = 0;
|
|
||||||
+ TEST_CTX t;
|
|
||||||
+
|
|
||||||
+ if (td->df != USE_DF)
|
|
||||||
+ flags |= RAND_DRBG_FLAG_CTR_NO_DF;
|
|
||||||
+
|
|
||||||
+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
|
|
||||||
+ kat_nonce, NULL)) {
|
|
||||||
+ failures++;
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ memset(&t, 0, sizeof(t));
|
|
||||||
+ t.entropy = data->entropyin;
|
|
||||||
+ t.entropylen = 0; /* No entropy */
|
|
||||||
+ t.nonce = data->nonce;
|
|
||||||
+ t.noncelen = td->noncelen;
|
|
||||||
+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
|
|
||||||
+
|
|
||||||
+ ERR_set_mark();
|
|
||||||
+ /* This must fail. */
|
|
||||||
+ if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
|
|
||||||
+ failures++;
|
|
||||||
+ RAND_DRBG_uninstantiate(drbg);
|
|
||||||
+ ERR_pop_to_mark();
|
|
||||||
+
|
|
||||||
+err:
|
|
||||||
+ RAND_DRBG_free(drbg);
|
|
||||||
+ return failures == 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+int rand_drbg_selftest(void)
|
|
||||||
+{
|
|
||||||
+ int i;
|
|
||||||
+
|
|
||||||
+ if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < drbg_test_nelem; i++) {
|
|
||||||
+ if (test_kats(i) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (test_drbg_sanity(&kat1465) <= 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h
|
|
||||||
--- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest 2020-04-23 13:33:12.587622510 +0200
|
|
||||||
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:33:12.619621907 +0200
|
|
||||||
@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
|
|
||||||
*/
|
|
||||||
void rand_pool_keep_random_devices_open(int keep);
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * Perform the DRBG KAT selftests
|
|
||||||
+ */
|
|
||||||
+int rand_drbg_selftest(void);
|
|
||||||
+
|
|
||||||
#endif
|
|
@ -1,189 +0,0 @@
|
|||||||
diff -up openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand openssl-1.1.1e/crypto/fips/fips.c
|
|
||||||
--- openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand 2020-03-17 18:06:16.822418854 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/fips/fips.c 2020-03-17 18:06:16.861418172 +0100
|
|
||||||
@@ -68,6 +68,7 @@
|
|
||||||
|
|
||||||
# include <openssl/fips.h>
|
|
||||||
# include "internal/thread_once.h"
|
|
||||||
+# include "crypto/rand.h"
|
|
||||||
|
|
||||||
# ifndef PATH_MAX
|
|
||||||
# define PATH_MAX 1024
|
|
||||||
@@ -76,6 +77,7 @@
|
|
||||||
static int fips_selftest_fail = 0;
|
|
||||||
static int fips_mode = 0;
|
|
||||||
static int fips_started = 0;
|
|
||||||
+static int fips_post = 0;
|
|
||||||
|
|
||||||
static int fips_is_owning_thread(void);
|
|
||||||
static int fips_set_owning_thread(void);
|
|
||||||
@@ -158,6 +160,11 @@ void fips_set_selftest_fail(void)
|
|
||||||
fips_selftest_fail = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+int fips_in_post(void)
|
|
||||||
+{
|
|
||||||
+ return fips_post;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* we implement what libfipscheck does ourselves */
|
|
||||||
|
|
||||||
static int
|
|
||||||
@@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff)
|
|
||||||
}
|
|
||||||
# endif
|
|
||||||
|
|
||||||
+ fips_post = 1;
|
|
||||||
+
|
|
||||||
if (!FIPS_selftest()) {
|
|
||||||
fips_selftest_fail = 1;
|
|
||||||
ret = 0;
|
|
||||||
@@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff)
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ fips_post = 0;
|
|
||||||
+
|
|
||||||
fips_set_mode(onoff);
|
|
||||||
+ /* force RNG reseed with entropy from getrandom() on next call */
|
|
||||||
+ rand_force_reseed();
|
|
||||||
+
|
|
||||||
ret = 1;
|
|
||||||
goto end;
|
|
||||||
}
|
|
||||||
diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1e/crypto/rand/drbg_lib.c
|
|
||||||
--- openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/rand/drbg_lib.c 2020-03-17 18:07:35.305045521 +0100
|
|
||||||
@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
|
|
||||||
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
|
|
||||||
}
|
|
||||||
|
|
||||||
+void rand_force_reseed(void)
|
|
||||||
+{
|
|
||||||
+ RAND_DRBG *drbg;
|
|
||||||
+
|
|
||||||
+ drbg = RAND_DRBG_get0_master();
|
|
||||||
+ drbg->fork_id = 0;
|
|
||||||
+
|
|
||||||
+ drbg = RAND_DRBG_get0_private();
|
|
||||||
+ drbg->fork_id = 0;
|
|
||||||
+
|
|
||||||
+ drbg = RAND_DRBG_get0_public();
|
|
||||||
+ drbg->fork_id = 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* Implements the default OpenSSL RAND_add() method */
|
|
||||||
static int drbg_add(const void *buf, int num, double randomness)
|
|
||||||
{
|
|
||||||
diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/crypto/rand/rand_unix.c
|
|
||||||
--- openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/rand/rand_unix.c 2020-03-17 18:09:01.503537189 +0100
|
|
||||||
@@ -17,10 +17,12 @@
|
|
||||||
#include <openssl/crypto.h>
|
|
||||||
#include "rand_local.h"
|
|
||||||
#include "crypto/rand.h"
|
|
||||||
+#include "crypto/fips.h"
|
|
||||||
#include <stdio.h>
|
|
||||||
#include "internal/dso.h"
|
|
||||||
#ifdef __linux
|
|
||||||
# include <sys/syscall.h>
|
|
||||||
+# include <sys/random.h>
|
|
||||||
# ifdef DEVRANDOM_WAIT
|
|
||||||
# include <sys/shm.h>
|
|
||||||
# include <sys/utsname.h>
|
|
||||||
@@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf,
|
|
||||||
* syscall_random(): Try to get random data using a system call
|
|
||||||
* returns the number of bytes returned in buf, or < 0 on error.
|
|
||||||
*/
|
|
||||||
-static ssize_t syscall_random(void *buf, size_t buflen)
|
|
||||||
+static ssize_t syscall_random(void *buf, size_t buflen, int nonblock)
|
|
||||||
{
|
|
||||||
/*
|
|
||||||
* Note: 'buflen' equals the size of the buffer which is used by the
|
|
||||||
@@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf,
|
|
||||||
* - Linux since 3.17 with glibc 2.25
|
|
||||||
* - FreeBSD since 12.0 (1200061)
|
|
||||||
*/
|
|
||||||
+# if 0
|
|
||||||
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
|
|
||||||
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
|
|
||||||
|
|
||||||
@@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf,
|
|
||||||
if (p_getentropy.p != NULL)
|
|
||||||
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
|
|
||||||
# endif
|
|
||||||
-
|
|
||||||
+# endif
|
|
||||||
/* Linux supports this since version 3.17 */
|
|
||||||
-# if defined(__linux) && defined(__NR_getrandom)
|
|
||||||
- return syscall(__NR_getrandom, buf, buflen, 0);
|
|
||||||
+# if defined(__linux) && defined(SYS_getrandom)
|
|
||||||
+ return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0);
|
|
||||||
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
|
|
||||||
return sysctl_random(buf, buflen);
|
|
||||||
# else
|
|
||||||
@@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
|
||||||
size_t entropy_available;
|
|
||||||
|
|
||||||
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
|
|
||||||
+ int in_post;
|
|
||||||
+
|
|
||||||
+ for (in_post = fips_in_post(); in_post >= 0; --in_post) {
|
|
||||||
{
|
|
||||||
size_t bytes_needed;
|
|
||||||
unsigned char *buffer;
|
|
||||||
@@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
|
||||||
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
|
||||||
while (bytes_needed != 0 && attempts-- > 0) {
|
|
||||||
buffer = rand_pool_add_begin(pool, bytes_needed);
|
|
||||||
- bytes = syscall_random(buffer, bytes_needed);
|
|
||||||
+ bytes = syscall_random(buffer, bytes_needed, in_post);
|
|
||||||
if (bytes > 0) {
|
|
||||||
rand_pool_add_end(pool, bytes, 8 * bytes);
|
|
||||||
bytes_needed -= bytes;
|
|
||||||
@@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
|
||||||
int attempts = 3;
|
|
||||||
const int fd = get_random_device(i);
|
|
||||||
|
|
||||||
- if (fd == -1)
|
|
||||||
+ if (fd == -1) {
|
|
||||||
+ OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]);
|
|
||||||
continue;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
while (bytes_needed != 0 && attempts-- > 0) {
|
|
||||||
buffer = rand_pool_add_begin(pool, bytes_needed);
|
|
||||||
@@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
|
||||||
return entropy_available;
|
|
||||||
}
|
|
||||||
# endif
|
|
||||||
-
|
|
||||||
+# ifdef OPENSSL_RAND_SEED_GETRANDOM
|
|
||||||
+ }
|
|
||||||
+# endif
|
|
||||||
return rand_pool_entropy_available(pool);
|
|
||||||
# endif
|
|
||||||
}
|
|
||||||
diff -up openssl-1.1.1e/include/crypto/fips.h.fips-post-rand openssl-1.1.1e/include/crypto/fips.h
|
|
||||||
--- openssl-1.1.1e/include/crypto/fips.h.fips-post-rand 2020-03-17 18:06:16.831418696 +0100
|
|
||||||
+++ openssl-1.1.1e/include/crypto/fips.h 2020-03-17 18:06:16.861418172 +0100
|
|
||||||
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
|
|
||||||
int FIPS_selftest_drbg(void);
|
|
||||||
int FIPS_selftest_cmac(void);
|
|
||||||
|
|
||||||
+int fips_in_post(void);
|
|
||||||
+
|
|
||||||
int fips_pkey_signature_test(EVP_PKEY *pkey,
|
|
||||||
const unsigned char *tbs, int tbslen,
|
|
||||||
const unsigned char *kat,
|
|
||||||
diff -up openssl-1.1.1e/include/crypto/rand.h.fips-post-rand openssl-1.1.1e/include/crypto/rand.h
|
|
||||||
--- openssl-1.1.1e/include/crypto/rand.h.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/include/crypto/rand.h 2020-03-17 18:07:35.303045555 +0100
|
|
||||||
@@ -24,6 +24,7 @@
|
|
||||||
typedef struct rand_pool_st RAND_POOL;
|
|
||||||
|
|
||||||
void rand_cleanup_int(void);
|
|
||||||
+void rand_force_reseed(void);
|
|
||||||
void rand_drbg_cleanup_int(void);
|
|
||||||
void drbg_delete_thread_state(void);
|
|
||||||
|
|
@ -1,500 +0,0 @@
|
|||||||
diff -up openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl
|
|
||||||
--- openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl 2020-03-19 17:07:02.626522694 +0100
|
|
||||||
@@ -275,6 +275,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
${PREFIX}_encrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
movups ($inp),$inout0 # load input
|
|
||||||
mov 240($key),$rounds # key->rounds
|
|
||||||
___
|
|
||||||
@@ -293,6 +294,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
${PREFIX}_decrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
movups ($inp),$inout0 # load input
|
|
||||||
mov 240($key),$rounds # key->rounds
|
|
||||||
___
|
|
||||||
@@ -613,6 +615,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
aesni_ecb_encrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
___
|
|
||||||
$code.=<<___ if ($win64);
|
|
||||||
lea -0x58(%rsp),%rsp
|
|
||||||
@@ -985,6 +988,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
aesni_ccm64_encrypt_blocks:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
___
|
|
||||||
$code.=<<___ if ($win64);
|
|
||||||
lea -0x58(%rsp),%rsp
|
|
||||||
@@ -1077,6 +1081,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
aesni_ccm64_decrypt_blocks:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
___
|
|
||||||
$code.=<<___ if ($win64);
|
|
||||||
lea -0x58(%rsp),%rsp
|
|
||||||
@@ -1203,6 +1208,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
aesni_ctr32_encrypt_blocks:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
cmp \$1,$len
|
|
||||||
jne .Lctr32_bulk
|
|
||||||
|
|
||||||
@@ -1775,6 +1781,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
aesni_xts_encrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
lea (%rsp),%r11 # frame pointer
|
|
||||||
.cfi_def_cfa_register %r11
|
|
||||||
push %rbp
|
|
||||||
@@ -2258,6 +2265,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
aesni_xts_decrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
lea (%rsp),%r11 # frame pointer
|
|
||||||
.cfi_def_cfa_register %r11
|
|
||||||
push %rbp
|
|
||||||
@@ -2783,6 +2791,7 @@ $code.=<<___;
|
|
||||||
.align 32
|
|
||||||
aesni_ocb_encrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
lea (%rsp),%rax
|
|
||||||
push %rbx
|
|
||||||
.cfi_push %rbx
|
|
||||||
@@ -3249,6 +3258,7 @@ __ocb_encrypt1:
|
|
||||||
.align 32
|
|
||||||
aesni_ocb_decrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
lea (%rsp),%rax
|
|
||||||
push %rbx
|
|
||||||
.cfi_push %rbx
|
|
||||||
@@ -3737,6 +3747,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
${PREFIX}_cbc_encrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
test $len,$len # check length
|
|
||||||
jz .Lcbc_ret
|
|
||||||
|
|
||||||
diff -up openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl
|
|
||||||
--- openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl 2020-03-19 17:00:15.974621757 +0100
|
|
||||||
@@ -696,6 +696,7 @@ _vpaes_schedule_mangle:
|
|
||||||
.align 16
|
|
||||||
${PREFIX}_set_encrypt_key:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
___
|
|
||||||
$code.=<<___ if ($win64);
|
|
||||||
lea -0xb8(%rsp),%rsp
|
|
||||||
@@ -746,6 +747,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
${PREFIX}_set_decrypt_key:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
___
|
|
||||||
$code.=<<___ if ($win64);
|
|
||||||
lea -0xb8(%rsp),%rsp
|
|
||||||
@@ -801,6 +803,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
${PREFIX}_encrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
___
|
|
||||||
$code.=<<___ if ($win64);
|
|
||||||
lea -0xb8(%rsp),%rsp
|
|
||||||
@@ -846,6 +849,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
${PREFIX}_decrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
___
|
|
||||||
$code.=<<___ if ($win64);
|
|
||||||
lea -0xb8(%rsp),%rsp
|
|
||||||
@@ -897,6 +901,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
${PREFIX}_cbc_encrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
xchg $key,$len
|
|
||||||
___
|
|
||||||
($len,$key)=($key,$len);
|
|
||||||
diff -up openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.c
|
|
||||||
--- openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/async/arch/async_posix.c 2020-03-19 17:00:15.974621757 +0100
|
|
||||||
@@ -34,7 +34,9 @@ void async_local_cleanup(void)
|
|
||||||
|
|
||||||
int async_fibre_makecontext(async_fibre *fibre)
|
|
||||||
{
|
|
||||||
+#ifndef USE_SWAPCONTEXT
|
|
||||||
fibre->env_init = 0;
|
|
||||||
+#endif
|
|
||||||
if (getcontext(&fibre->fibre) == 0) {
|
|
||||||
fibre->fibre.uc_stack.ss_sp = OPENSSL_malloc(STACKSIZE);
|
|
||||||
if (fibre->fibre.uc_stack.ss_sp != NULL) {
|
|
||||||
diff -up openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.h
|
|
||||||
--- openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet 2020-03-19 17:00:15.435631166 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/async/arch/async_posix.h 2020-03-19 17:00:15.975621739 +0100
|
|
||||||
@@ -25,17 +25,33 @@
|
|
||||||
# define ASYNC_POSIX
|
|
||||||
# define ASYNC_ARCH
|
|
||||||
|
|
||||||
+# ifdef __CET__
|
|
||||||
+/*
|
|
||||||
+ * When Intel CET is enabled, makecontext will create a different
|
|
||||||
+ * shadow stack for each context. async_fibre_swapcontext cannot
|
|
||||||
+ * use _longjmp. It must call swapcontext to swap shadow stack as
|
|
||||||
+ * well as normal stack.
|
|
||||||
+ */
|
|
||||||
+# define USE_SWAPCONTEXT
|
|
||||||
+# endif
|
|
||||||
# include <ucontext.h>
|
|
||||||
-# include <setjmp.h>
|
|
||||||
+# ifndef USE_SWAPCONTEXT
|
|
||||||
+# include <setjmp.h>
|
|
||||||
+# endif
|
|
||||||
|
|
||||||
typedef struct async_fibre_st {
|
|
||||||
ucontext_t fibre;
|
|
||||||
+# ifndef USE_SWAPCONTEXT
|
|
||||||
jmp_buf env;
|
|
||||||
int env_init;
|
|
||||||
+# endif
|
|
||||||
} async_fibre;
|
|
||||||
|
|
||||||
static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r)
|
|
||||||
{
|
|
||||||
+# ifdef USE_SWAPCONTEXT
|
|
||||||
+ swapcontext(&o->fibre, &n->fibre);
|
|
||||||
+# else
|
|
||||||
o->env_init = 1;
|
|
||||||
|
|
||||||
if (!r || !_setjmp(o->env)) {
|
|
||||||
@@ -44,6 +60,7 @@ static ossl_inline int async_fibre_swapc
|
|
||||||
else
|
|
||||||
setcontext(&n->fibre);
|
|
||||||
}
|
|
||||||
+# endif
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
diff -up openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl
|
|
||||||
--- openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl 2020-03-19 17:00:15.975621739 +0100
|
|
||||||
@@ -685,6 +685,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
Camellia_cbc_encrypt:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
cmp \$0,%rdx
|
|
||||||
je .Lcbc_abort
|
|
||||||
push %rbx
|
|
||||||
diff -up openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl
|
|
||||||
--- openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl 2020-03-19 17:00:15.975621739 +0100
|
|
||||||
@@ -239,6 +239,7 @@ $code=<<___;
|
|
||||||
.align 16
|
|
||||||
gcm_gmult_4bit:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
push %rbx
|
|
||||||
.cfi_push %rbx
|
|
||||||
push %rbp # %rbp and others are pushed exclusively in
|
|
||||||
@@ -286,6 +287,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
gcm_ghash_4bit:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
push %rbx
|
|
||||||
.cfi_push %rbx
|
|
||||||
push %rbp
|
|
||||||
@@ -612,6 +614,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
gcm_gmult_clmul:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
.L_gmult_clmul:
|
|
||||||
movdqu ($Xip),$Xi
|
|
||||||
movdqa .Lbswap_mask(%rip),$T3
|
|
||||||
@@ -663,6 +666,7 @@ $code.=<<___;
|
|
||||||
.align 32
|
|
||||||
gcm_ghash_clmul:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
.L_ghash_clmul:
|
|
||||||
___
|
|
||||||
$code.=<<___ if ($win64);
|
|
||||||
@@ -1166,6 +1170,7 @@ $code.=<<___;
|
|
||||||
.align 32
|
|
||||||
gcm_gmult_avx:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
jmp .L_gmult_clmul
|
|
||||||
.cfi_endproc
|
|
||||||
.size gcm_gmult_avx,.-gcm_gmult_avx
|
|
||||||
@@ -1177,6 +1182,7 @@ $code.=<<___;
|
|
||||||
.align 32
|
|
||||||
gcm_ghash_avx:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
___
|
|
||||||
if ($avx) {
|
|
||||||
my ($Xip,$Htbl,$inp,$len)=@_4args;
|
|
||||||
diff -up openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet openssl-1.1.1e/crypto/perlasm/cbc.pl
|
|
||||||
--- openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/perlasm/cbc.pl 2020-03-19 17:00:15.976621722 +0100
|
|
||||||
@@ -165,21 +165,28 @@ sub cbc
|
|
||||||
&jmp_ptr($count);
|
|
||||||
|
|
||||||
&set_label("ej7");
|
|
||||||
+ &endbranch()
|
|
||||||
&movb(&HB("edx"), &BP(6,$in,"",0));
|
|
||||||
&shl("edx",8);
|
|
||||||
&set_label("ej6");
|
|
||||||
+ &endbranch()
|
|
||||||
&movb(&HB("edx"), &BP(5,$in,"",0));
|
|
||||||
&set_label("ej5");
|
|
||||||
+ &endbranch()
|
|
||||||
&movb(&LB("edx"), &BP(4,$in,"",0));
|
|
||||||
&set_label("ej4");
|
|
||||||
+ &endbranch()
|
|
||||||
&mov("ecx", &DWP(0,$in,"",0));
|
|
||||||
&jmp(&label("ejend"));
|
|
||||||
&set_label("ej3");
|
|
||||||
+ &endbranch()
|
|
||||||
&movb(&HB("ecx"), &BP(2,$in,"",0));
|
|
||||||
&shl("ecx",8);
|
|
||||||
&set_label("ej2");
|
|
||||||
+ &endbranch()
|
|
||||||
&movb(&HB("ecx"), &BP(1,$in,"",0));
|
|
||||||
&set_label("ej1");
|
|
||||||
+ &endbranch()
|
|
||||||
&movb(&LB("ecx"), &BP(0,$in,"",0));
|
|
||||||
&set_label("ejend");
|
|
||||||
|
|
||||||
diff -up openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl
|
|
||||||
--- openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl 2020-03-19 17:00:15.984621582 +0100
|
|
||||||
@@ -101,6 +101,33 @@ elsif (!$gas)
|
|
||||||
$decor="\$L\$";
|
|
||||||
}
|
|
||||||
|
|
||||||
+my $cet_property;
|
|
||||||
+if ($flavour =~ /elf/) {
|
|
||||||
+ # Always generate .note.gnu.property section for ELF outputs to
|
|
||||||
+ # mark Intel CET support since all input files must be marked
|
|
||||||
+ # with Intel CET support in order for linker to mark output with
|
|
||||||
+ # Intel CET support.
|
|
||||||
+ my $p2align=3; $p2align=2 if ($flavour eq "elf32");
|
|
||||||
+ $cet_property = <<_____;
|
|
||||||
+ .section ".note.gnu.property", "a"
|
|
||||||
+ .p2align $p2align
|
|
||||||
+ .long 1f - 0f
|
|
||||||
+ .long 4f - 1f
|
|
||||||
+ .long 5
|
|
||||||
+0:
|
|
||||||
+ .asciz "GNU"
|
|
||||||
+1:
|
|
||||||
+ .p2align $p2align
|
|
||||||
+ .long 0xc0000002
|
|
||||||
+ .long 3f - 2f
|
|
||||||
+2:
|
|
||||||
+ .long 3
|
|
||||||
+3:
|
|
||||||
+ .p2align $p2align
|
|
||||||
+4:
|
|
||||||
+_____
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
my $current_segment;
|
|
||||||
my $current_function;
|
|
||||||
my %globals;
|
|
||||||
@@ -1213,6 +1240,7 @@ while(defined(my $line=<>)) {
|
|
||||||
print $line,"\n";
|
|
||||||
}
|
|
||||||
|
|
||||||
+print "$cet_property" if ($cet_property);
|
|
||||||
print "\n$current_segment\tENDS\n" if ($current_segment && $masm);
|
|
||||||
print "END\n" if ($masm);
|
|
||||||
|
|
||||||
diff -up openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86gas.pl
|
|
||||||
--- openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/perlasm/x86gas.pl 2020-03-19 17:00:15.985621565 +0100
|
|
||||||
@@ -124,6 +124,7 @@ sub ::function_begin_B
|
|
||||||
push(@out,".align\t$align\n");
|
|
||||||
push(@out,"$func:\n");
|
|
||||||
push(@out,"$begin:\n") if ($global);
|
|
||||||
+ &::endbranch();
|
|
||||||
$::stack=4;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -172,6 +173,26 @@ sub ::file_end
|
|
||||||
else { push (@out,"$tmp\n"); }
|
|
||||||
}
|
|
||||||
push(@out,$initseg) if ($initseg);
|
|
||||||
+ if ($::elf) {
|
|
||||||
+ push(@out,"
|
|
||||||
+ .section \".note.gnu.property\", \"a\"
|
|
||||||
+ .p2align 2
|
|
||||||
+ .long 1f - 0f
|
|
||||||
+ .long 4f - 1f
|
|
||||||
+ .long 5
|
|
||||||
+0:
|
|
||||||
+ .asciz \"GNU\"
|
|
||||||
+1:
|
|
||||||
+ .p2align 2
|
|
||||||
+ .long 0xc0000002
|
|
||||||
+ .long 3f - 2f
|
|
||||||
+2:
|
|
||||||
+ .long 3
|
|
||||||
+3:
|
|
||||||
+ .p2align 2
|
|
||||||
+4:
|
|
||||||
+");
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
sub ::data_byte { push(@out,".byte\t".join(',',@_)."\n"); }
|
|
||||||
diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl
|
|
||||||
--- openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet 2020-03-19 17:00:38.185234015 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl 2020-03-19 17:05:46.575850341 +0100
|
|
||||||
@@ -2806,6 +2806,7 @@ $code.=<<___;
|
|
||||||
.align 32
|
|
||||||
poly1305_blocks_vpmadd52:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
shr \$4,$len
|
|
||||||
jz .Lno_data_vpmadd52 # too short
|
|
||||||
|
|
||||||
@@ -3739,6 +3740,7 @@ $code.=<<___;
|
|
||||||
.align 32
|
|
||||||
poly1305_emit_base2_44:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
mov 0($ctx),%r8 # load hash value
|
|
||||||
mov 8($ctx),%r9
|
|
||||||
mov 16($ctx),%r10
|
|
||||||
diff -up openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl
|
|
||||||
--- openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet 2020-03-19 17:00:38.190233928 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl 2020-03-19 17:05:02.598618064 +0100
|
|
||||||
@@ -140,6 +140,7 @@ $code=<<___;
|
|
||||||
.align 16
|
|
||||||
RC4:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
or $len,$len
|
|
||||||
jne .Lentry
|
|
||||||
ret
|
|
||||||
@@ -455,6 +456,7 @@ $code.=<<___;
|
|
||||||
.align 16
|
|
||||||
RC4_set_key:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
lea 8($dat),$dat
|
|
||||||
lea ($inp,$len),$inp
|
|
||||||
neg $len
|
|
||||||
@@ -529,6 +531,7 @@ RC4_set_key:
|
|
||||||
.align 16
|
|
||||||
RC4_options:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
lea .Lopts(%rip),%rax
|
|
||||||
mov OPENSSL_ia32cap_P(%rip),%edx
|
|
||||||
bt \$20,%edx
|
|
||||||
diff -up openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet openssl-1.1.1e/crypto/x86_64cpuid.pl
|
|
||||||
--- openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100
|
|
||||||
+++ openssl-1.1.1e/crypto/x86_64cpuid.pl 2020-03-19 17:03:58.172742775 +0100
|
|
||||||
@@ -40,6 +40,7 @@ print<<___;
|
|
||||||
.align 16
|
|
||||||
OPENSSL_atomic_add:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
movl ($arg1),%eax
|
|
||||||
.Lspin: leaq ($arg2,%rax),%r8
|
|
||||||
.byte 0xf0 # lock
|
|
||||||
@@ -56,6 +57,7 @@ OPENSSL_atomic_add:
|
|
||||||
.align 16
|
|
||||||
OPENSSL_rdtsc:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
rdtsc
|
|
||||||
shl \$32,%rdx
|
|
||||||
or %rdx,%rax
|
|
||||||
@@ -68,6 +70,7 @@ OPENSSL_rdtsc:
|
|
||||||
.align 16
|
|
||||||
OPENSSL_ia32_cpuid:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
mov %rbx,%r8 # save %rbx
|
|
||||||
.cfi_register %rbx,%r8
|
|
||||||
|
|
||||||
@@ -237,6 +240,7 @@ OPENSSL_ia32_cpuid:
|
|
||||||
.align 16
|
|
||||||
OPENSSL_cleanse:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
xor %rax,%rax
|
|
||||||
cmp \$15,$arg2
|
|
||||||
jae .Lot
|
|
||||||
@@ -274,6 +278,7 @@ OPENSSL_cleanse:
|
|
||||||
.align 16
|
|
||||||
CRYPTO_memcmp:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
xor %rax,%rax
|
|
||||||
xor %r10,%r10
|
|
||||||
cmp \$0,$arg3
|
|
||||||
@@ -312,6 +317,7 @@ print<<___ if (!$win64);
|
|
||||||
.align 16
|
|
||||||
OPENSSL_wipe_cpu:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
pxor %xmm0,%xmm0
|
|
||||||
pxor %xmm1,%xmm1
|
|
||||||
pxor %xmm2,%xmm2
|
|
||||||
@@ -346,6 +352,8 @@ print<<___ if ($win64);
|
|
||||||
.type OPENSSL_wipe_cpu,\@abi-omnipotent
|
|
||||||
.align 16
|
|
||||||
OPENSSL_wipe_cpu:
|
|
||||||
+.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
pxor %xmm0,%xmm0
|
|
||||||
pxor %xmm1,%xmm1
|
|
||||||
pxor %xmm2,%xmm2
|
|
||||||
@@ -376,6 +384,7 @@ print<<___;
|
|
||||||
.align 16
|
|
||||||
OPENSSL_instrument_bus:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
mov $arg1,$out # tribute to Win64
|
|
||||||
mov $arg2,$cnt
|
|
||||||
mov $arg2,$max
|
|
||||||
@@ -410,6 +419,7 @@ OPENSSL_instrument_bus:
|
|
||||||
.align 16
|
|
||||||
OPENSSL_instrument_bus2:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
mov $arg1,$out # tribute to Win64
|
|
||||||
mov $arg2,$cnt
|
|
||||||
mov $arg3,$max
|
|
||||||
@@ -465,6 +475,7 @@ print<<___;
|
|
||||||
.align 16
|
|
||||||
OPENSSL_ia32_${rdop}_bytes:
|
|
||||||
.cfi_startproc
|
|
||||||
+ endbranch
|
|
||||||
xor %rax, %rax # return value
|
|
||||||
cmp \$0,$arg2
|
|
||||||
je .Ldone_${rdop}_bytes
|
|
@ -1,170 +0,0 @@
|
|||||||
diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info
|
|
||||||
--- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest 2020-06-03 16:08:36.274849058 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/fips/build.info 2020-06-03 16:11:05.609079372 +0200
|
|
||||||
@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
|
|
||||||
fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
|
|
||||||
fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
|
|
||||||
fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
|
|
||||||
- fips_dh_selftest.c fips_ers.c
|
|
||||||
+ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c
|
|
||||||
|
|
||||||
PROGRAMS_NO_INST=\
|
|
||||||
fips_standalone_hmac
|
|
||||||
diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c
|
|
||||||
--- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest 2020-06-03 16:08:36.337849577 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c 2020-06-03 16:08:36.337849577 +0200
|
|
||||||
@@ -0,0 +1,117 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
||||||
+ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
|
|
||||||
+ *
|
|
||||||
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
||||||
+ * this file except in compliance with the License. You can obtain a copy
|
|
||||||
+ * in the file LICENSE in the source distribution or at
|
|
||||||
+ * https://www.openssl.org/source/license.html
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <openssl/err.h>
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+#include "crypto/fips.h"
|
|
||||||
+
|
|
||||||
+#include <openssl/evp.h>
|
|
||||||
+#include <openssl/kdf.h>
|
|
||||||
+
|
|
||||||
+#ifdef OPENSSL_FIPS
|
|
||||||
+int FIPS_selftest_pbkdf2(void)
|
|
||||||
+{
|
|
||||||
+ int ret = 0;
|
|
||||||
+ EVP_KDF_CTX *kctx;
|
|
||||||
+ unsigned char out[32];
|
|
||||||
+
|
|
||||||
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ {
|
|
||||||
+ const unsigned char expected[sizeof(out)] = {
|
|
||||||
+ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
|
|
||||||
+ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
|
|
||||||
+ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
|
|
||||||
+ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
|
|
||||||
+ };
|
|
||||||
+ if (memcmp(out, expected, sizeof(expected))) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ ret = 1;
|
|
||||||
+
|
|
||||||
+err:
|
|
||||||
+ if (!ret)
|
|
||||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED);
|
|
||||||
+ EVP_KDF_CTX_free(kctx);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
|
|
||||||
+ * 5) appendix A. */
|
|
||||||
+int FIPS_selftest_kbkdf(void)
|
|
||||||
+{
|
|
||||||
+ int ret = 0;
|
|
||||||
+ EVP_KDF_CTX *kctx;
|
|
||||||
+ char *label = "prf", *prf_input = "test";
|
|
||||||
+ static unsigned char input_key[] = {
|
|
||||||
+ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
|
|
||||||
+ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
|
|
||||||
+ };
|
|
||||||
+ static unsigned char output[] = {
|
|
||||||
+ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
|
|
||||||
+ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
|
|
||||||
+ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
|
|
||||||
+ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
|
|
||||||
+ };
|
|
||||||
+ unsigned char result[sizeof(output)] = { 0 };
|
|
||||||
+
|
|
||||||
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
|
|
||||||
+ goto err;
|
|
||||||
+ }
|
|
||||||
+ ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0
|
|
||||||
+ && memcmp(result, output, sizeof(output)) == 0;
|
|
||||||
+err:
|
|
||||||
+
|
|
||||||
+ if (!ret)
|
|
||||||
+ FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED);
|
|
||||||
+ EVP_KDF_CTX_free(kctx);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int FIPS_selftest_kdf(void)
|
|
||||||
+{
|
|
||||||
+ return FIPS_selftest_pbkdf2() && FIPS_selftest_kbkdf();
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#endif
|
|
||||||
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c
|
|
||||||
--- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest 2020-06-03 16:08:36.332849536 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-03 16:08:36.338849585 +0200
|
|
||||||
@@ -111,6 +111,8 @@ int FIPS_selftest(void)
|
|
||||||
rv = 0;
|
|
||||||
if (!FIPS_selftest_ecdh())
|
|
||||||
rv = 0;
|
|
||||||
+ if (!FIPS_selftest_kdf())
|
|
||||||
+ rv = 0;
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h
|
|
||||||
--- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest 2020-06-03 16:08:36.330849519 +0200
|
|
||||||
+++ openssl-1.1.1g/include/crypto/fips.h 2020-06-03 16:08:36.338849585 +0200
|
|
||||||
@@ -72,6 +72,9 @@ void FIPS_drbg_stick(int onoff);
|
|
||||||
int FIPS_selftest_hmac(void);
|
|
||||||
int FIPS_selftest_drbg(void);
|
|
||||||
int FIPS_selftest_cmac(void);
|
|
||||||
+int FIPS_selftest_kbkdf(void);
|
|
||||||
+int FIPS_selftest_pbkdf2(void);
|
|
||||||
+int FIPS_selftest_kdf(void);
|
|
||||||
|
|
||||||
int fips_in_post(void);
|
|
||||||
|
|
||||||
diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h
|
|
||||||
--- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest 2020-06-03 16:08:36.282849124 +0200
|
|
||||||
+++ openssl-1.1.1g/include/openssl/fips.h 2020-06-03 16:08:36.338849585 +0200
|
|
||||||
@@ -123,6 +123,8 @@ extern "C" {
|
|
||||||
# define FIPS_F_FIPS_SELFTEST_DSA 112
|
|
||||||
# define FIPS_F_FIPS_SELFTEST_ECDSA 133
|
|
||||||
# define FIPS_F_FIPS_SELFTEST_HMAC 113
|
|
||||||
+# define FIPS_F_FIPS_SELFTEST_KBKDF 151
|
|
||||||
+# define FIPS_F_FIPS_SELFTEST_PBKDF2 152
|
|
||||||
# define FIPS_F_FIPS_SELFTEST_SHA1 115
|
|
||||||
# define FIPS_F_FIPS_SELFTEST_SHA2 105
|
|
||||||
# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143
|
|
File diff suppressed because it is too large
Load Diff
@ -1,19 +0,0 @@
|
|||||||
diff -up openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename openssl-1.1.1-pre9/doc/man1/openssl.pod
|
|
||||||
--- openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename 2018-08-21 14:14:13.000000000 +0200
|
|
||||||
+++ openssl-1.1.1-pre9/doc/man1/openssl.pod 2018-08-22 12:13:04.092568064 +0200
|
|
||||||
@@ -482,13 +482,13 @@ L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>
|
|
||||||
L<ec(1)>, L<ecparam(1)>,
|
|
||||||
L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
|
|
||||||
L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
|
|
||||||
-L<passwd(1)>,
|
|
||||||
L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
|
|
||||||
L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>, L<prime(1)>,
|
|
||||||
-L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
|
|
||||||
+L<rehash(1)>, L<req(1)>, L<rsa(1)>,
|
|
||||||
L<rsautl(1)>, L<s_client(1)>,
|
|
||||||
L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
|
|
||||||
L<smime(1)>, L<speed(1)>, L<spkac(1)>, L<srp(1)>, L<storeutl(1)>,
|
|
||||||
+L<sslpasswd(1)>, L<sslrand(1)>,
|
|
||||||
L<ts(1)>,
|
|
||||||
L<verify(1)>, L<version(1)>, L<x509(1)>,
|
|
||||||
L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>
|
|
@ -1,112 +0,0 @@
|
|||||||
diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in
|
|
||||||
--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-09-10 15:13:07.000000000 +0200
|
|
||||||
+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in 2019-09-13 15:11:07.358687169 +0200
|
|
||||||
@@ -147,22 +147,22 @@ our @tests = (
|
|
||||||
{
|
|
||||||
name => "ECDSA with brainpool",
|
|
||||||
server => {
|
|
||||||
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
|
|
||||||
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
|
|
||||||
- "Groups" => "brainpoolP256r1",
|
|
||||||
+ "Certificate" => test_pem("server-ecdsa-cert.pem"),
|
|
||||||
+ "PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
|
||||||
+# "Groups" => "brainpoolP256r1",
|
|
||||||
},
|
|
||||||
client => {
|
|
||||||
#We don't restrict this to TLSv1.2, although use of brainpool
|
|
||||||
#should force this anyway so that this should succeed
|
|
||||||
"CipherString" => "aECDSA",
|
|
||||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
|
||||||
- "Groups" => "brainpoolP256r1",
|
|
||||||
+# "Groups" => "brainpoolP256r1",
|
|
||||||
},
|
|
||||||
test => {
|
|
||||||
- "ExpectedServerCertType" =>, "brainpoolP256r1",
|
|
||||||
- "ExpectedServerSignType" =>, "EC",
|
|
||||||
+# "ExpectedServerCertType" =>, "brainpoolP256r1",
|
|
||||||
+# "ExpectedServerSignType" =>, "EC",
|
|
||||||
# Note: certificate_authorities not sent for TLS < 1.3
|
|
||||||
- "ExpectedServerCANames" =>, "empty",
|
|
||||||
+# "ExpectedServerCANames" =>, "empty",
|
|
||||||
"ExpectedResult" => "Success"
|
|
||||||
},
|
|
||||||
},
|
|
||||||
@@ -853,18 +853,18 @@ my @tests_tls_1_3 = (
|
|
||||||
{
|
|
||||||
name => "TLS 1.3 ECDSA with brainpool",
|
|
||||||
server => {
|
|
||||||
- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
|
|
||||||
- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
|
|
||||||
- "Groups" => "brainpoolP256r1",
|
|
||||||
+ "Certificate" => test_pem("server-ecdsa-cert.pem"),
|
|
||||||
+ "PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
|
||||||
+# "Groups" => "brainpoolP256r1",
|
|
||||||
},
|
|
||||||
client => {
|
|
||||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
|
||||||
- "Groups" => "brainpoolP256r1",
|
|
||||||
+# "Groups" => "brainpoolP256r1",
|
|
||||||
"MinProtocol" => "TLSv1.3",
|
|
||||||
"MaxProtocol" => "TLSv1.3"
|
|
||||||
},
|
|
||||||
test => {
|
|
||||||
- "ExpectedResult" => "ServerFail"
|
|
||||||
+ "ExpectedResult" => "Success"
|
|
||||||
},
|
|
||||||
},
|
|
||||||
);
|
|
||||||
diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf
|
|
||||||
--- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-09-10 15:13:07.000000000 +0200
|
|
||||||
+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf 2019-09-13 15:12:27.380288469 +0200
|
|
||||||
@@ -238,23 +238,18 @@ server = 5-ECDSA with brainpool-server
|
|
||||||
client = 5-ECDSA with brainpool-client
|
|
||||||
|
|
||||||
[5-ECDSA with brainpool-server]
|
|
||||||
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
|
|
||||||
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
|
||||||
CipherString = DEFAULT
|
|
||||||
-Groups = brainpoolP256r1
|
|
||||||
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
|
|
||||||
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
|
|
||||||
|
|
||||||
[5-ECDSA with brainpool-client]
|
|
||||||
CipherString = aECDSA
|
|
||||||
-Groups = brainpoolP256r1
|
|
||||||
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
|
|
||||||
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
|
|
||||||
VerifyMode = Peer
|
|
||||||
|
|
||||||
[test-5]
|
|
||||||
ExpectedResult = Success
|
|
||||||
-ExpectedServerCANames = empty
|
|
||||||
-ExpectedServerCertType = brainpoolP256r1
|
|
||||||
-ExpectedServerSignType = EC
|
|
||||||
|
|
||||||
|
|
||||||
# ===========================================================
|
|
||||||
@@ -1713,14 +1708,12 @@ server = 52-TLS 1.3 ECDSA with brainpool
|
|
||||||
client = 52-TLS 1.3 ECDSA with brainpool-client
|
|
||||||
|
|
||||||
[52-TLS 1.3 ECDSA with brainpool-server]
|
|
||||||
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem
|
|
||||||
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
|
|
||||||
CipherString = DEFAULT
|
|
||||||
-Groups = brainpoolP256r1
|
|
||||||
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem
|
|
||||||
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
|
|
||||||
|
|
||||||
[52-TLS 1.3 ECDSA with brainpool-client]
|
|
||||||
CipherString = DEFAULT
|
|
||||||
-Groups = brainpoolP256r1
|
|
||||||
MaxProtocol = TLSv1.3
|
|
||||||
MinProtocol = TLSv1.3
|
|
||||||
RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
|
|
||||||
@@ -1728,7 +1721,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro
|
|
||||||
VerifyMode = Peer
|
|
||||||
|
|
||||||
[test-52]
|
|
||||||
-ExpectedResult = ServerFail
|
|
||||||
+ExpectedResult = Success
|
|
||||||
|
|
||||||
|
|
||||||
# ===========================================================
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1f/Configurations/unix-Makefile.tmpl
|
|
||||||
--- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html 2020-04-07 16:45:21.904083989 +0200
|
|
||||||
+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:45:56.218461895 +0200
|
|
||||||
@@ -544,7 +544,7 @@ install_sw: install_dev install_engines
|
|
||||||
|
|
||||||
uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
|
|
||||||
|
|
||||||
-install_docs: install_man_docs install_html_docs
|
|
||||||
+install_docs: install_man_docs
|
|
||||||
|
|
||||||
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
|
||||||
$(RM) -r "$(DESTDIR)$(DOCDIR)"
|
|
@ -1,170 +0,0 @@
|
|||||||
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c
|
|
||||||
--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c 2020-06-22 13:32:47.675852917 +0200
|
|
||||||
@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx,
|
|
||||||
int FIPS_drbg_reseed(DRBG_CTX *dctx,
|
|
||||||
const unsigned char *adin, size_t adinlen)
|
|
||||||
{
|
|
||||||
+ int len = (int)adinlen;
|
|
||||||
+
|
|
||||||
+ if (len < 0 || (size_t)len != adinlen) {
|
|
||||||
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ RAND_seed(adin, len);
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int FIPS_drbg_reseed_internal(DRBG_CTX *dctx,
|
|
||||||
+ const unsigned char *adin, size_t adinlen)
|
|
||||||
+{
|
|
||||||
return drbg_reseed(dctx, adin, adinlen, 1);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u
|
|
||||||
int prediction_resistance,
|
|
||||||
const unsigned char *adin, size_t adinlen)
|
|
||||||
{
|
|
||||||
+ int len = (int)outlen;
|
|
||||||
+
|
|
||||||
+ if (len < 0 || (size_t)len != outlen) {
|
|
||||||
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ return RAND_bytes(out, len);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
|
|
||||||
+ int prediction_resistance,
|
|
||||||
+ const unsigned char *adin, size_t adinlen)
|
|
||||||
+{
|
|
||||||
int r = 0;
|
|
||||||
|
|
||||||
if (FIPS_selftest_failed()) {
|
|
||||||
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c
|
|
||||||
--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c 2020-06-22 13:32:47.675852917 +0200
|
|
||||||
@@ -57,6 +57,8 @@
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/rand.h>
|
|
||||||
#include <openssl/fips.h>
|
|
||||||
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
|
|
||||||
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
|
|
||||||
#include <openssl/fips_rand.h>
|
|
||||||
#include "fips_rand_lcl.h"
|
|
||||||
|
|
||||||
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
|
|
||||||
--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg 2020-06-22 13:32:47.612852927 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-06-22 13:32:47.675852917 +0200
|
|
||||||
@@ -55,6 +55,8 @@
|
|
||||||
#include <openssl/crypto.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/fips.h>
|
|
||||||
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
|
|
||||||
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
|
|
||||||
#include <openssl/fips_rand.h>
|
|
||||||
#include "fips_rand_lcl.h"
|
|
||||||
#include "fips_locl.h"
|
|
||||||
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c
|
|
||||||
--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-22 13:32:47.675852917 +0200
|
|
||||||
@@ -79,8 +79,6 @@ int FIPS_selftest(void)
|
|
||||||
ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
|
|
||||||
rv = 0;
|
|
||||||
}
|
|
||||||
- if (!FIPS_selftest_drbg())
|
|
||||||
- rv = 0;
|
|
||||||
if (!FIPS_selftest_sha1())
|
|
||||||
rv = 0;
|
|
||||||
if (!FIPS_selftest_sha2())
|
|
||||||
diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c
|
|
||||||
--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.613852927 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c 2020-06-22 13:36:28.722817967 +0200
|
|
||||||
@@ -120,6 +120,7 @@ void FIPS_rand_reset(void)
|
|
||||||
|
|
||||||
int FIPS_rand_seed(const void *buf, int num)
|
|
||||||
{
|
|
||||||
+#if 0
|
|
||||||
if (!fips_approved_rand_meth && FIPS_module_mode()) {
|
|
||||||
FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
|
|
||||||
return 0;
|
|
||||||
@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int
|
|
||||||
if (fips_rand_meth && fips_rand_meth->seed)
|
|
||||||
fips_rand_meth->seed(buf, num);
|
|
||||||
return 1;
|
|
||||||
+#else
|
|
||||||
+ RAND_seed(buf, num);
|
|
||||||
+ return 1;
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
int FIPS_rand_bytes(unsigned char *buf, int num)
|
|
||||||
{
|
|
||||||
+#if 0
|
|
||||||
if (!fips_approved_rand_meth && FIPS_module_mode()) {
|
|
||||||
FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
|
|
||||||
return 0;
|
|
||||||
@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf,
|
|
||||||
if (fips_rand_meth && fips_rand_meth->bytes)
|
|
||||||
return fips_rand_meth->bytes(buf, num);
|
|
||||||
return 0;
|
|
||||||
+#else
|
|
||||||
+ return RAND_bytes(buf, num);
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
int FIPS_rand_status(void)
|
|
||||||
{
|
|
||||||
+#if 0
|
|
||||||
if (!fips_approved_rand_meth && FIPS_module_mode()) {
|
|
||||||
FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
|
|
||||||
return 0;
|
|
||||||
@@ -149,6 +159,9 @@ int FIPS_rand_status(void)
|
|
||||||
if (fips_rand_meth && fips_rand_meth->status)
|
|
||||||
return fips_rand_meth->status();
|
|
||||||
return 0;
|
|
||||||
+#else
|
|
||||||
+ return RAND_status();
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Return instantiated strength of PRNG. For DRBG this is an internal
|
|
||||||
diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h
|
|
||||||
--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
|
|
||||||
+++ openssl-1.1.1g/include/openssl/fips.h 2020-06-22 13:32:47.675852917 +0200
|
|
||||||
@@ -64,6 +64,11 @@ extern "C" {
|
|
||||||
|
|
||||||
int FIPS_selftest(void);
|
|
||||||
int FIPS_selftest_failed(void);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * This function is deprecated as it performs selftest of the old FIPS drbg
|
|
||||||
+ * implementation that is not validated.
|
|
||||||
+ */
|
|
||||||
int FIPS_selftest_drbg_all(void);
|
|
||||||
|
|
||||||
int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
|
|
||||||
diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h
|
|
||||||
--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg 2020-06-22 13:32:47.617852926 +0200
|
|
||||||
+++ openssl-1.1.1g/include/openssl/fips_rand.h 2020-06-22 13:32:47.675852917 +0200
|
|
||||||
@@ -60,6 +60,20 @@
|
|
||||||
# ifdef __cplusplus
|
|
||||||
extern "C" {
|
|
||||||
# endif
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * IMPORTANT NOTE:
|
|
||||||
+ * All functions in this header file are deprecated and should not be used
|
|
||||||
+ * as they use the old FIPS_drbg implementation that is not FIPS validated
|
|
||||||
+ * anymore.
|
|
||||||
+ * To provide backwards compatibility for applications that need FIPS compliant
|
|
||||||
+ * RNG number generation and use FIPS_drbg_generate, this function was
|
|
||||||
+ * re-wired to call the FIPS validated DRBG instance instead through
|
|
||||||
+ * the RAND_bytes() call.
|
|
||||||
+ *
|
|
||||||
+ * All these functions will be removed in future.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
typedef struct drbg_ctx_st DRBG_CTX;
|
|
||||||
/* DRBG external flags */
|
|
||||||
/* Flag for CTR mode only: use derivation function ctr_df */
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,160 +0,0 @@
|
|||||||
diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
|
|
||||||
--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel 2020-04-21 14:22:39.000000000 +0200
|
|
||||||
+++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2020-06-05 17:16:54.835536823 +0200
|
|
||||||
@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
|
|
||||||
}
|
|
||||||
|
|
||||||
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
|
|
||||||
+static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
|
|
||||||
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
|
|
||||||
|
|
||||||
if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
|
|
||||||
return 0;
|
|
||||||
-
|
|
||||||
- return secbits >= minbits_table[level - 1];
|
|
||||||
+ /*
|
|
||||||
+ * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
|
|
||||||
+ * disable SHA1 flag is not set.
|
|
||||||
+ */
|
|
||||||
+ if ((ctx->param->flags & 0x40000000) || FIPS_mode())
|
|
||||||
+ return secbits >= minbits_table[level - 1];
|
|
||||||
+ return secbits >= minbits_digest_table[level - 1];
|
|
||||||
}
|
|
||||||
diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
|
|
||||||
--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2020-04-21 14:22:39.000000000 +0200
|
|
||||||
+++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod 2020-06-04 15:48:01.608178833 +0200
|
|
||||||
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
|
|
||||||
|
|
||||||
=item B<Level 2>
|
|
||||||
|
|
||||||
-Security level set to 112 bits of security. As a result RSA, DSA and DH keys
|
|
||||||
-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
|
|
||||||
+Security level set to 112 bits of security with the exception of SHA1 allowed
|
|
||||||
+for signatures.
|
|
||||||
+As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
|
|
||||||
+shorter than 224 bits are prohibited.
|
|
||||||
In addition to the level 1 exclusions any cipher suite using RC4 is also
|
|
||||||
prohibited. SSL version 3 is also not allowed. Compression is disabled.
|
|
||||||
|
|
||||||
diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
|
|
||||||
--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel 2020-04-21 14:22:39.000000000 +0200
|
|
||||||
+++ openssl-1.1.1g/ssl/ssl_cert.c 2020-06-05 17:10:11.842198401 +0200
|
|
||||||
@@ -27,6 +27,7 @@
|
|
||||||
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
|
|
||||||
int op, int bits, int nid, void *other,
|
|
||||||
void *ex);
|
|
||||||
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
|
|
||||||
|
|
||||||
static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
|
|
||||||
static volatile int ssl_x509_store_ctx_idx = -1;
|
|
||||||
@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
|
|
||||||
X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
|
|
||||||
|
|
||||||
/* Set suite B flags if needed */
|
|
||||||
- X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
|
|
||||||
+ X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
|
|
||||||
if (!X509_STORE_CTX_set_ex_data
|
|
||||||
(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
|
|
||||||
goto end;
|
|
||||||
@@ -953,12 +954,33 @@ static int ssl_security_default_callback
|
|
||||||
return 0;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
+ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
|
|
||||||
+ if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
|
|
||||||
+ break;
|
|
||||||
if (bits < minbits)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
|
|
||||||
+{
|
|
||||||
+ unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
|
|
||||||
+ const CERT *c;
|
|
||||||
+
|
|
||||||
+ if (FIPS_mode())
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
+ if (ctx != NULL) {
|
|
||||||
+ c = ctx->cert;
|
|
||||||
+ } else {
|
|
||||||
+ c = s->cert;
|
|
||||||
+ }
|
|
||||||
+ if (tls1_cert_sigalgs_have_sha1(c))
|
|
||||||
+ return 0;
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
|
|
||||||
{
|
|
||||||
return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
|
|
||||||
diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
|
|
||||||
--- openssl-1.1.1g/ssl/ssl_local.h.seclevel 2020-06-04 15:48:01.602178783 +0200
|
|
||||||
+++ openssl-1.1.1g/ssl/ssl_local.h 2020-06-05 17:02:22.666313410 +0200
|
|
||||||
@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
|
|
||||||
__owur int tls1_process_sigalgs(SSL *s);
|
|
||||||
__owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
|
|
||||||
__owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
|
|
||||||
+int tls1_cert_sigalgs_have_sha1(const CERT *c);
|
|
||||||
__owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
|
|
||||||
# ifndef OPENSSL_NO_EC
|
|
||||||
__owur int tls_check_sigalg_curve(const SSL *s, int curve);
|
|
||||||
diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
|
|
||||||
--- openssl-1.1.1g/ssl/t1_lib.c.seclevel 2020-06-04 15:48:01.654179221 +0200
|
|
||||||
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-05 17:02:40.268459157 +0200
|
|
||||||
@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
|
|
||||||
+{
|
|
||||||
+ size_t i;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < sigalgslen; i++, sigalgs++) {
|
|
||||||
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
|
|
||||||
+
|
|
||||||
+ if (lu == NULL)
|
|
||||||
+ continue;
|
|
||||||
+ if (lu->hash == NID_sha1)
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+int tls1_cert_sigalgs_have_sha1(const CERT *c)
|
|
||||||
+{
|
|
||||||
+ if (c->client_sigalgs != NULL) {
|
|
||||||
+ if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+ if (c->conf_sigalgs != NULL) {
|
|
||||||
+ if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
|
|
||||||
+ return 1;
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
|
|
||||||
{
|
|
||||||
int sig_nid, use_pc_sigalgs = 0;
|
|
||||||
diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
|
|
||||||
--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel 2020-04-21 14:22:39.000000000 +0200
|
|
||||||
+++ openssl-1.1.1g/test/recipes/25-test_verify.t 2020-06-04 15:48:01.608178833 +0200
|
|
||||||
@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
|
|
||||||
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
|
|
||||||
"CA with PSS signature using SHA256");
|
|
||||||
|
|
||||||
-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
|
|
||||||
- "Reject PSS signature using SHA1 and auth level 2");
|
|
||||||
+ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
|
|
||||||
+ "Reject PSS signature using SHA1 and auth level 3");
|
|
||||||
|
|
||||||
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
|
|
||||||
"PSS signature using SHA256 and auth level 2");
|
|
File diff suppressed because it is too large
Load Diff
@ -1,310 +0,0 @@
|
|||||||
diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1c/Configurations/unix-Makefile.tmpl
|
|
||||||
--- openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist 2019-05-29 15:42:27.951329271 +0200
|
|
||||||
+++ openssl-1.1.1c/Configurations/unix-Makefile.tmpl 2019-05-29 15:42:27.974328867 +0200
|
|
||||||
@@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
|
||||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
|
||||||
HTMLDIR=$(DOCDIR)/html
|
|
||||||
|
|
||||||
+{- output_off() if $config{system_ciphers_file} eq ""; "" -}
|
|
||||||
+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
|
|
||||||
+{- output_on() if $config{system_ciphers_file} eq ""; "" -}
|
|
||||||
+
|
|
||||||
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
|
||||||
# appended after the manpage file section number. "ssl" is popular,
|
|
||||||
# resulting in files such as config.5ssl rather than config.5.
|
|
||||||
@@ -203,6 +207,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
|
||||||
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
|
||||||
CPPFLAGS={- our $cppflags1 = join(" ",
|
|
||||||
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
|
||||||
+ "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
|
|
||||||
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
|
||||||
@{$config{CPPFLAGS}}) -}
|
|
||||||
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
|
||||||
diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure
|
|
||||||
--- openssl-1.1.1c/Configure.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
|
|
||||||
+++ openssl-1.1.1c/Configure 2019-05-29 15:45:10.465469533 +0200
|
|
||||||
@@ -24,7 +24,7 @@ use OpenSSL::Glob;
|
|
||||||
my $orig_death_handler = $SIG{__DIE__};
|
|
||||||
$SIG{__DIE__} = \&death_handler;
|
|
||||||
|
|
||||||
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
|
||||||
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
|
||||||
|
|
||||||
# Options:
|
|
||||||
#
|
|
||||||
@@ -41,6 +41,9 @@ my $usage="Usage: Configure [no-<cipher>
|
|
||||||
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
|
||||||
# (Default: PREFIX/ssl)
|
|
||||||
#
|
|
||||||
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
|
||||||
+# cipher is specified (default).
|
|
||||||
+#
|
|
||||||
# --cross-compile-prefix Add specified prefix to binutils components.
|
|
||||||
#
|
|
||||||
# --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for
|
|
||||||
@@ -295,6 +298,7 @@ $config{prefix}="";
|
|
||||||
$config{openssldir}="";
|
|
||||||
$config{processor}="";
|
|
||||||
$config{libdir}="";
|
|
||||||
+$config{system_ciphers_file}="";
|
|
||||||
my $auto_threads=1; # enable threads automatically? true by default
|
|
||||||
my $default_ranlib;
|
|
||||||
|
|
||||||
@@ -824,6 +828,10 @@ while (@argvcopy)
|
|
||||||
push @seed_sources, $x;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ elsif (/^--system-ciphers-file=(.*)$/)
|
|
||||||
+ {
|
|
||||||
+ $config{system_ciphers_file}=$1;
|
|
||||||
+ }
|
|
||||||
elsif (/^--cross-compile-prefix=(.*)$/)
|
|
||||||
{
|
|
||||||
$user{CROSS_COMPILE}=$1;
|
|
||||||
@@ -1016,6 +1024,8 @@ if ($target eq "HASH") {
|
|
||||||
exit 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/;
|
|
||||||
+
|
|
||||||
print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
|
|
||||||
print "for $target\n";
|
|
||||||
|
|
||||||
diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/doc/man1/ciphers.pod
|
|
||||||
--- openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
|
|
||||||
+++ openssl-1.1.1c/doc/man1/ciphers.pod 2019-05-29 15:42:27.975328849 +0200
|
|
||||||
@@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
|
||||||
|
|
||||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
|
||||||
|
|
||||||
+=item B<PROFILE=SYSTEM>
|
|
||||||
+
|
|
||||||
+The list of enabled cipher suites will be loaded from the system crypto policy
|
|
||||||
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
|
|
||||||
+See also L<update-crypto-policies(8)>.
|
|
||||||
+This is the default behavior unless an application explicitly sets a cipher
|
|
||||||
+list. If used in a cipher list configuration value this string must be at the
|
|
||||||
+beginning of the cipher list, otherwise it will not be recognized.
|
|
||||||
+
|
|
||||||
=item B<HIGH>
|
|
||||||
|
|
||||||
"High" encryption cipher suites. This currently means those with key lengths
|
|
||||||
diff -up openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist openssl-1.1.1c/include/openssl/ssl.h
|
|
||||||
--- openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
|
|
||||||
+++ openssl-1.1.1c/include/openssl/ssl.h 2019-05-29 15:42:27.975328849 +0200
|
|
||||||
@@ -186,6 +186,11 @@ extern "C" {
|
|
||||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
|
||||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
|
||||||
*/
|
|
||||||
+# ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
|
|
||||||
+# else
|
|
||||||
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
|
|
||||||
+# endif
|
|
||||||
|
|
||||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
|
||||||
# define SSL_SENT_SHUTDOWN 1
|
|
||||||
diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ciph.c
|
|
||||||
--- openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
|
|
||||||
+++ openssl-1.1.1c/ssl/ssl_ciph.c 2019-05-29 15:42:27.976328831 +0200
|
|
||||||
@@ -9,6 +9,8 @@
|
|
||||||
* https://www.openssl.org/source/license.html
|
|
||||||
*/
|
|
||||||
|
|
||||||
+/* for secure_getenv */
|
|
||||||
+#define _GNU_SOURCE
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <ctype.h>
|
|
||||||
#include <openssl/objects.h>
|
|
||||||
@@ -1399,6 +1401,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+static char *load_system_str(const char *suffix)
|
|
||||||
+{
|
|
||||||
+ FILE *fp;
|
|
||||||
+ char buf[1024];
|
|
||||||
+ char *new_rules;
|
|
||||||
+ const char *ciphers_path;
|
|
||||||
+ unsigned len, slen;
|
|
||||||
+
|
|
||||||
+ if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
|
|
||||||
+ ciphers_path = SYSTEM_CIPHERS_FILE;
|
|
||||||
+ fp = fopen(ciphers_path, "r");
|
|
||||||
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
|
|
||||||
+ /* cannot open or file is empty */
|
|
||||||
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (fp)
|
|
||||||
+ fclose(fp);
|
|
||||||
+
|
|
||||||
+ slen = strlen(suffix);
|
|
||||||
+ len = strlen(buf);
|
|
||||||
+
|
|
||||||
+ if (buf[len - 1] == '\n') {
|
|
||||||
+ len--;
|
|
||||||
+ buf[len] = 0;
|
|
||||||
+ }
|
|
||||||
+ if (buf[len - 1] == '\r') {
|
|
||||||
+ len--;
|
|
||||||
+ buf[len] = 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ new_rules = OPENSSL_malloc(len + slen + 1);
|
|
||||||
+ if (new_rules == 0)
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
+ memcpy(new_rules, buf, len);
|
|
||||||
+ if (slen > 0) {
|
|
||||||
+ memcpy(&new_rules[len], suffix, slen);
|
|
||||||
+ len += slen;
|
|
||||||
+ }
|
|
||||||
+ new_rules[len] = 0;
|
|
||||||
+
|
|
||||||
+ return new_rules;
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
|
|
||||||
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
|
||||||
STACK_OF(SSL_CIPHER) **cipher_list,
|
|
||||||
@@ -1412,15 +1461,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
const char *rule_p;
|
|
||||||
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
|
||||||
const SSL_CIPHER **ca_list = NULL;
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+ char *new_rules = NULL;
|
|
||||||
+
|
|
||||||
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
|
|
||||||
+ char *p = rule_str + 14;
|
|
||||||
+
|
|
||||||
+ new_rules = load_system_str(p);
|
|
||||||
+ rule_str = new_rules;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Return with error if nothing to do.
|
|
||||||
*/
|
|
||||||
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
|
||||||
- return NULL;
|
|
||||||
+ goto err;
|
|
||||||
#ifndef OPENSSL_NO_EC
|
|
||||||
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
|
||||||
- return NULL;
|
|
||||||
+ goto err;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1443,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
|
||||||
if (co_list == NULL) {
|
|
||||||
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
|
||||||
- return NULL; /* Failure */
|
|
||||||
+ goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
|
||||||
@@ -1509,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
* in force within each class
|
|
||||||
*/
|
|
||||||
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
- return NULL;
|
|
||||||
+ goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1555,9 +1613,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
|
||||||
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
|
||||||
if (ca_list == NULL) {
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
|
||||||
- return NULL; /* Failure */
|
|
||||||
+ goto err;
|
|
||||||
}
|
|
||||||
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
|
||||||
disabled_mkey, disabled_auth, disabled_enc,
|
|
||||||
@@ -1583,8 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
OPENSSL_free(ca_list); /* Not needed anymore */
|
|
||||||
|
|
||||||
if (!ok) { /* Rule processing failure */
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
- return NULL;
|
|
||||||
+ goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
* if we cannot get one.
|
|
||||||
*/
|
|
||||||
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
|
||||||
- OPENSSL_free(co_list);
|
|
||||||
- return NULL;
|
|
||||||
+ goto err;
|
|
||||||
}
|
|
||||||
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+ OPENSSL_free(new_rules); /* Not needed anymore */
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
|
||||||
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
|
||||||
if (!sk_SSL_CIPHER_push(cipherstack,
|
|
||||||
sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
|
|
||||||
+ OPENSSL_free(co_list);
|
|
||||||
sk_SSL_CIPHER_free(cipherstack);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
@@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
|
||||||
*cipher_list = cipherstack;
|
|
||||||
|
|
||||||
return cipherstack;
|
|
||||||
+
|
|
||||||
+err:
|
|
||||||
+ OPENSSL_free(co_list);
|
|
||||||
+#ifdef SYSTEM_CIPHERS_FILE
|
|
||||||
+ OPENSSL_free(new_rules);
|
|
||||||
+#endif
|
|
||||||
+ return NULL;
|
|
||||||
+
|
|
||||||
}
|
|
||||||
|
|
||||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
|
||||||
diff -up openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1c/ssl/ssl_lib.c
|
|
||||||
--- openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist 2019-05-29 15:42:27.970328937 +0200
|
|
||||||
+++ openssl-1.1.1c/ssl/ssl_lib.c 2019-05-29 15:42:27.977328814 +0200
|
|
||||||
@@ -662,7 +662,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
|
||||||
ctx->tls13_ciphersuites,
|
|
||||||
&(ctx->cipher_list),
|
|
||||||
&(ctx->cipher_list_by_id),
|
|
||||||
- SSL_DEFAULT_CIPHER_LIST, ctx->cert);
|
|
||||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
|
|
||||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
|
||||||
SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
|
||||||
return 0;
|
|
||||||
@@ -2954,7 +2954,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
|
||||||
if (!ssl_create_cipher_list(ret->method,
|
|
||||||
ret->tls13_ciphersuites,
|
|
||||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
|
||||||
- SSL_DEFAULT_CIPHER_LIST, ret->cert)
|
|
||||||
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
|
||||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
|
||||||
SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
|
||||||
goto err2;
|
|
||||||
diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/test/cipherlist_test.c
|
|
||||||
--- openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200
|
|
||||||
+++ openssl-1.1.1c/test/cipherlist_test.c 2019-05-29 15:42:27.977328814 +0200
|
|
||||||
@@ -251,7 +251,9 @@ end:
|
|
||||||
|
|
||||||
int setup_tests(void)
|
|
||||||
{
|
|
||||||
+#ifndef SYSTEM_CIPHERS_FILE
|
|
||||||
ADD_TEST(test_default_cipherlist_implicit);
|
|
||||||
+#endif
|
|
||||||
ADD_TEST(test_default_cipherlist_explicit);
|
|
||||||
ADD_TEST(test_default_cipherlist_clear);
|
|
||||||
return 1;
|
|
@ -1,70 +0,0 @@
|
|||||||
diff -up openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default openssl-1.1.1h/apps/openssl.cnf
|
|
||||||
--- openssl-1.1.1h/apps/openssl.cnf.ts-sha256-default 2020-11-06 11:07:28.850100899 +0100
|
|
||||||
+++ openssl-1.1.1h/apps/openssl.cnf 2020-11-06 11:11:28.042913791 +0100
|
|
||||||
@@ -364,5 +348,5 @@ tsa_name = yes # Must the TSA name be i
|
|
||||||
# (optional, default: no)
|
|
||||||
ess_cert_id_chain = no # Must the ESS cert id chain be included?
|
|
||||||
# (optional, default: no)
|
|
||||||
-ess_cert_id_alg = sha1 # algorithm to compute certificate
|
|
||||||
+ess_cert_id_alg = sha256 # algorithm to compute certificate
|
|
||||||
# identifier (optional, default: sha1)
|
|
||||||
diff -up openssl-1.1.1h/apps/ts.c.ts-sha256-default openssl-1.1.1h/apps/ts.c
|
|
||||||
--- openssl-1.1.1h/apps/ts.c.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
|
|
||||||
+++ openssl-1.1.1h/apps/ts.c 2020-11-06 11:07:28.883101220 +0100
|
|
||||||
@@ -423,7 +423,7 @@ static TS_REQ *create_query(BIO *data_bi
|
|
||||||
ASN1_OBJECT *policy_obj = NULL;
|
|
||||||
ASN1_INTEGER *nonce_asn1 = NULL;
|
|
||||||
|
|
||||||
- if (md == NULL && (md = EVP_get_digestbyname("sha1")) == NULL)
|
|
||||||
+ if (md == NULL && (md = EVP_get_digestbyname("sha256")) == NULL)
|
|
||||||
goto err;
|
|
||||||
if ((ts_req = TS_REQ_new()) == NULL)
|
|
||||||
goto err;
|
|
||||||
diff -up openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default openssl-1.1.1h/crypto/ts/ts_conf.c
|
|
||||||
--- openssl-1.1.1h/crypto/ts/ts_conf.c.ts-sha256-default 2020-11-06 12:03:51.226372867 +0100
|
|
||||||
+++ openssl-1.1.1h/crypto/ts/ts_conf.c 2020-11-06 12:04:01.713488990 +0100
|
|
||||||
@@ -476,7 +476,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF
|
|
||||||
const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
|
|
||||||
|
|
||||||
if (md == NULL)
|
|
||||||
- md = "sha1";
|
|
||||||
+ md = "sha256";
|
|
||||||
|
|
||||||
cert_md = EVP_get_digestbyname(md);
|
|
||||||
if (cert_md == NULL) {
|
|
||||||
diff -up openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default openssl-1.1.1h/doc/man1/ts.pod
|
|
||||||
--- openssl-1.1.1h/doc/man1/ts.pod.ts-sha256-default 2020-09-22 14:55:07.000000000 +0200
|
|
||||||
+++ openssl-1.1.1h/doc/man1/ts.pod 2020-11-06 11:07:28.883101220 +0100
|
|
||||||
@@ -518,7 +518,7 @@ included. Default is no. (Optional)
|
|
||||||
=item B<ess_cert_id_alg>
|
|
||||||
|
|
||||||
This option specifies the hash function to be used to calculate the TSA's
|
|
||||||
-public key certificate identifier. Default is sha1. (Optional)
|
|
||||||
+public key certificate identifier. Default is sha256. (Optional)
|
|
||||||
|
|
||||||
=back
|
|
||||||
|
|
||||||
@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
|
|
||||||
|
|
||||||
=head2 Time Stamp Request
|
|
||||||
|
|
||||||
-To create a timestamp request for design1.txt with SHA-1
|
|
||||||
+To create a timestamp request for design1.txt with SHA-256
|
|
||||||
without nonce and policy and no certificate is required in the response:
|
|
||||||
|
|
||||||
openssl ts -query -data design1.txt -no_nonce \
|
|
||||||
@@ -546,12 +546,12 @@ To print the content of the previous req
|
|
||||||
|
|
||||||
openssl ts -query -in design1.tsq -text
|
|
||||||
|
|
||||||
-To create a timestamp request which includes the MD-5 digest
|
|
||||||
+To create a timestamp request which includes the SHA-512 digest
|
|
||||||
of design2.txt, requests the signer certificate and nonce,
|
|
||||||
specifies a policy id (assuming the tsa_policy1 name is defined in the
|
|
||||||
OID section of the config file):
|
|
||||||
|
|
||||||
- openssl ts -query -data design2.txt -md5 \
|
|
||||||
+ openssl ts -query -data design2.txt -sha512 \
|
|
||||||
-tspolicy tsa_policy1 -cert -out design2.tsq
|
|
||||||
|
|
||||||
=head2 Time Stamp Response
|
|
@ -1,38 +0,0 @@
|
|||||||
diff -up openssl-1.1.1-pre8/apps/version.c.version-add-engines openssl-1.1.1-pre8/apps/version.c
|
|
||||||
--- openssl-1.1.1-pre8/apps/version.c.version-add-engines 2018-06-20 16:48:09.000000000 +0200
|
|
||||||
+++ openssl-1.1.1-pre8/apps/version.c 2018-07-16 18:00:40.608624346 +0200
|
|
||||||
@@ -64,7 +64,7 @@ int version_main(int argc, char **argv)
|
|
||||||
{
|
|
||||||
int ret = 1, dirty = 0, seed = 0;
|
|
||||||
int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
|
|
||||||
- int engdir = 0;
|
|
||||||
+ int engdir = 0, engines = 0;
|
|
||||||
char *prog;
|
|
||||||
OPTION_CHOICE o;
|
|
||||||
|
|
||||||
@@ -106,7 +106,7 @@ opthelp:
|
|
||||||
break;
|
|
||||||
case OPT_A:
|
|
||||||
seed = options = cflags = version = date = platform = dir = engdir
|
|
||||||
- = 1;
|
|
||||||
+ = engines = 1;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -188,6 +188,16 @@ opthelp:
|
|
||||||
#endif
|
|
||||||
printf("\n");
|
|
||||||
}
|
|
||||||
+ if (engines) {
|
|
||||||
+ ENGINE *e;
|
|
||||||
+ printf("engines: ");
|
|
||||||
+ e = ENGINE_get_first();
|
|
||||||
+ while (e) {
|
|
||||||
+ printf("%s ", ENGINE_get_id(e));
|
|
||||||
+ e = ENGINE_get_next(e);
|
|
||||||
+ }
|
|
||||||
+ printf("\n");
|
|
||||||
+ }
|
|
||||||
ret = 0;
|
|
||||||
end:
|
|
||||||
return ret;
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.1g/include/openssl/opensslv.h
|
|
||||||
--- openssl-1.1.1g/include/openssl/opensslv.h.version-override 2020-04-23 13:29:37.802673513 +0200
|
|
||||||
+++ openssl-1.1.1g/include/openssl/opensslv.h 2020-04-23 13:30:13.064008458 +0200
|
|
||||||
@@ -40,7 +40,7 @@ extern "C" {
|
|
||||||
* major minor fix final patch/beta)
|
|
||||||
*/
|
|
||||||
# define OPENSSL_VERSION_NUMBER 0x1010108fL
|
|
||||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h 22 Sep 2020"
|
|
||||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h FIPS 22 Sep 2020"
|
|
||||||
|
|
||||||
/*-
|
|
||||||
* The macros below are to be used for shared library (.so, .dll, ...)
|
|
@ -1,57 +0,0 @@
|
|||||||
diff -up openssl-1.1.1/ssl/s3_lib.c.weak-ciphers openssl-1.1.1/ssl/s3_lib.c
|
|
||||||
--- openssl-1.1.1/ssl/s3_lib.c.weak-ciphers 2018-09-11 14:48:23.000000000 +0200
|
|
||||||
+++ openssl-1.1.1/ssl/s3_lib.c 2018-09-17 12:53:33.850637181 +0200
|
|
||||||
@@ -2612,7 +2612,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|
||||||
SSL_GOST89MAC,
|
|
||||||
TLS1_VERSION, TLS1_2_VERSION,
|
|
||||||
0, 0,
|
|
||||||
- SSL_HIGH,
|
|
||||||
+ SSL_MEDIUM,
|
|
||||||
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
|
|
||||||
256,
|
|
||||||
256,
|
|
||||||
@@ -2644,7 +2644,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|
||||||
SSL_GOST89MAC12,
|
|
||||||
TLS1_VERSION, TLS1_2_VERSION,
|
|
||||||
0, 0,
|
|
||||||
- SSL_HIGH,
|
|
||||||
+ SSL_MEDIUM,
|
|
||||||
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
|
|
||||||
256,
|
|
||||||
256,
|
|
||||||
@@ -2753,7 +2753,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|
||||||
},
|
|
||||||
#endif /* OPENSSL_NO_SEED */
|
|
||||||
|
|
||||||
-#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
|
||||||
+#if 0 /* No MD5 ciphersuites */
|
|
||||||
{
|
|
||||||
1,
|
|
||||||
SSL3_TXT_RSA_RC4_128_MD5,
|
|
||||||
@@ -2770,6 +2770,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|
||||||
128,
|
|
||||||
128,
|
|
||||||
},
|
|
||||||
+#endif
|
|
||||||
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
|
||||||
{
|
|
||||||
1,
|
|
||||||
SSL3_TXT_RSA_RC4_128_SHA,
|
|
||||||
@@ -2786,6 +2788,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|
||||||
128,
|
|
||||||
128,
|
|
||||||
},
|
|
||||||
+#endif
|
|
||||||
+#if 0
|
|
||||||
{
|
|
||||||
1,
|
|
||||||
SSL3_TXT_ADH_RC4_128_MD5,
|
|
||||||
@@ -2802,6 +2806,8 @@ static SSL_CIPHER ssl3_ciphers[] = {
|
|
||||||
128,
|
|
||||||
128,
|
|
||||||
},
|
|
||||||
+#endif
|
|
||||||
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
|
||||||
{
|
|
||||||
1,
|
|
||||||
TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,
|
|
2
openssl-fips.conf
Normal file
2
openssl-fips.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
-b /usr/lib{,64}/libcrypto.so.*
|
||||||
|
-b /usr/lib{,64}/libssl.so.*
|
396
openssl.spec
396
openssl.spec
@ -15,14 +15,14 @@
|
|||||||
|
|
||||||
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
|
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
|
||||||
# also be handled in opensslconf-new.h.
|
# also be handled in opensslconf-new.h.
|
||||||
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
|
%define multilib_arches %{ix86} ia64 %{mips} ppc %{power64} s390 s390x sparcv9 sparc64 x86_64
|
||||||
|
|
||||||
%global _performance_build 1
|
%global _performance_build 1
|
||||||
|
|
||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.1.1h
|
Version: 1.1.0h
|
||||||
Release: 1%{?dist}
|
Release: 3%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -38,57 +38,43 @@ Source11: README.FIPS
|
|||||||
Source12: ec_curve.c
|
Source12: ec_curve.c
|
||||||
Source13: ectest.c
|
Source13: ectest.c
|
||||||
# Build changes
|
# Build changes
|
||||||
Patch1: openssl-1.1.1-build.patch
|
Patch1: openssl-1.1.0-build.patch
|
||||||
Patch2: openssl-1.1.1-defaults.patch
|
Patch2: openssl-1.1.0-defaults.patch
|
||||||
Patch3: openssl-1.1.1-no-html.patch
|
Patch3: openssl-1.1.0-no-html.patch
|
||||||
Patch4: openssl-1.1.1-man-rename.patch
|
|
||||||
# Bug fixes
|
# Bug fixes
|
||||||
Patch21: openssl-1.1.0-issuer-hash.patch
|
Patch21: openssl-1.1.0-issuer-hash.patch
|
||||||
|
Patch22: openssl-1.1.0-algo-doc.patch
|
||||||
|
Patch23: openssl-1.1.0-manfix.patch
|
||||||
# Functionality changes
|
# Functionality changes
|
||||||
Patch31: openssl-1.1.1-conf-paths.patch
|
Patch31: openssl-1.1.0-ca-dir.patch
|
||||||
Patch32: openssl-1.1.1-version-add-engines.patch
|
Patch32: openssl-1.1.0-version-add-engines.patch
|
||||||
Patch33: openssl-1.1.1-apps-dgst.patch
|
Patch33: openssl-1.1.0-apps-dgst.patch
|
||||||
Patch36: openssl-1.1.1-no-brainpool.patch
|
Patch35: openssl-1.1.0-chil-fixes.patch
|
||||||
Patch37: openssl-1.1.1-ec-curves.patch
|
Patch36: openssl-1.1.0-secure-getenv.patch
|
||||||
Patch38: openssl-1.1.1-no-weak-verify.patch
|
Patch37: openssl-1.1.0-ec-curves.patch
|
||||||
Patch40: openssl-1.1.1-disable-ssl3.patch
|
Patch38: openssl-1.1.0-no-weak-verify.patch
|
||||||
Patch41: openssl-1.1.1-system-cipherlist.patch
|
Patch39: openssl-1.1.0-cc-reqs.patch
|
||||||
Patch42: openssl-1.1.1-fips.patch
|
Patch40: openssl-1.1.0-disable-ssl3.patch
|
||||||
Patch44: openssl-1.1.1-version-override.patch
|
Patch41: openssl-1.1.0-system-cipherlist.patch
|
||||||
Patch45: openssl-1.1.1-weak-ciphers.patch
|
Patch42: openssl-1.1.0-fips.patch
|
||||||
Patch46: openssl-1.1.1-seclevel.patch
|
Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch
|
||||||
Patch47: openssl-1.1.1-ts-sha256-default.patch
|
Patch45: openssl-1.1.0-weak-ciphers.patch
|
||||||
Patch48: openssl-1.1.1-fips-post-rand.patch
|
Patch46: openssl-1.1.0-silent-rnd-write.patch
|
||||||
Patch49: openssl-1.1.1-evp-kdf.patch
|
|
||||||
Patch50: openssl-1.1.1-ssh-kdf.patch
|
|
||||||
Patch51: openssl-1.1.1-intel-cet.patch
|
|
||||||
Patch60: openssl-1.1.1-krb5-kdf.patch
|
|
||||||
Patch61: openssl-1.1.1-edk2-build.patch
|
|
||||||
Patch62: openssl-1.1.1-fips-curves.patch
|
|
||||||
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
|
|
||||||
Patch66: openssl-1.1.1-fips-dh.patch
|
|
||||||
Patch67: openssl-1.1.1-kdf-selftest.patch
|
|
||||||
Patch69: openssl-1.1.1-alpn-cb.patch
|
|
||||||
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
|
|
||||||
# Backported fixes including security fixes
|
# Backported fixes including security fixes
|
||||||
Patch52: openssl-1.1.1-s390x-update.patch
|
Patch70: openssl-1.1.0-missing-quotes.patch
|
||||||
Patch53: openssl-1.1.1-fips-crng-test.patch
|
|
||||||
Patch55: openssl-1.1.1-arm-update.patch
|
|
||||||
Patch56: openssl-1.1.1-s390x-ecc.patch
|
|
||||||
|
|
||||||
License: OpenSSL and ASL 2.0
|
License: OpenSSL
|
||||||
|
Group: System Environment/Libraries
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
|
BuildRequires: coreutils, krb5-devel, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
|
||||||
BuildRequires: lksctp-tools-devel
|
BuildRequires: lksctp-tools-devel
|
||||||
BuildRequires: /usr/bin/rename
|
BuildRequires: /usr/bin/rename
|
||||||
BuildRequires: /usr/bin/pod2man
|
BuildRequires: /usr/bin/pod2man
|
||||||
BuildRequires: /usr/sbin/sysctl
|
|
||||||
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
|
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
|
||||||
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
|
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
|
||||||
BuildRequires: perl(Time::HiRes)
|
BuildRequires: perl(Time::HiRes)
|
||||||
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
|
Requires: coreutils, make
|
||||||
Requires: coreutils
|
|
||||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -99,9 +85,12 @@ protocols.
|
|||||||
|
|
||||||
%package libs
|
%package libs
|
||||||
Summary: A general purpose cryptography library with TLS implementation
|
Summary: A general purpose cryptography library with TLS implementation
|
||||||
|
Group: System Environment/Libraries
|
||||||
Requires: ca-certificates >= 2008-5
|
Requires: ca-certificates >= 2008-5
|
||||||
Requires: crypto-policies >= 20180730
|
Requires: crypto-policies
|
||||||
Recommends: openssl-pkcs11%{?_isa}
|
# Needed obsoletes due to the base/lib subpackage split
|
||||||
|
Obsoletes: openssl < 1:1.0.1-0.3.beta3
|
||||||
|
Obsoletes: openssl-fips < 1:1.0.1e-28
|
||||||
Provides: openssl-fips = %{epoch}:%{version}-%{release}
|
Provides: openssl-fips = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
%description libs
|
%description libs
|
||||||
@ -111,7 +100,9 @@ support cryptographic algorithms and protocols.
|
|||||||
|
|
||||||
%package devel
|
%package devel
|
||||||
Summary: Files for development of applications which will use OpenSSL
|
Summary: Files for development of applications which will use OpenSSL
|
||||||
|
Group: Development/Libraries
|
||||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
|
Requires: krb5-devel%{?_isa}, zlib-devel%{?_isa}
|
||||||
Requires: pkgconfig
|
Requires: pkgconfig
|
||||||
|
|
||||||
%description devel
|
%description devel
|
||||||
@ -121,6 +112,7 @@ support various cryptographic algorithms and protocols.
|
|||||||
|
|
||||||
%package static
|
%package static
|
||||||
Summary: Libraries for static linking of applications which will use OpenSSL
|
Summary: Libraries for static linking of applications which will use OpenSSL
|
||||||
|
Group: Development/Libraries
|
||||||
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
%description static
|
%description static
|
||||||
@ -131,6 +123,7 @@ protocols.
|
|||||||
|
|
||||||
%package perl
|
%package perl
|
||||||
Summary: Perl scripts provided with OpenSSL
|
Summary: Perl scripts provided with OpenSSL
|
||||||
|
Group: Applications/Internet
|
||||||
Requires: perl-interpreter
|
Requires: perl-interpreter
|
||||||
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
@ -152,40 +145,27 @@ cp %{SOURCE13} test/
|
|||||||
%patch1 -p1 -b .build %{?_rawbuild}
|
%patch1 -p1 -b .build %{?_rawbuild}
|
||||||
%patch2 -p1 -b .defaults
|
%patch2 -p1 -b .defaults
|
||||||
%patch3 -p1 -b .no-html %{?_rawbuild}
|
%patch3 -p1 -b .no-html %{?_rawbuild}
|
||||||
%patch4 -p1 -b .man-rename
|
|
||||||
|
|
||||||
%patch21 -p1 -b .issuer-hash
|
%patch21 -p1 -b .issuer-hash
|
||||||
|
%patch22 -p1 -b .algo-doc
|
||||||
|
%patch23 -p1 -b .manfix
|
||||||
|
|
||||||
%patch31 -p1 -b .conf-paths
|
%patch31 -p1 -b .ca-dir
|
||||||
%patch32 -p1 -b .version-add-engines
|
%patch32 -p1 -b .version-add-engines
|
||||||
%patch33 -p1 -b .dgst
|
%patch33 -p1 -b .dgst
|
||||||
%patch36 -p1 -b .no-brainpool
|
%patch35 -p1 -b .chil
|
||||||
|
%patch36 -p1 -b .secure-getenv
|
||||||
%patch37 -p1 -b .curves
|
%patch37 -p1 -b .curves
|
||||||
%patch38 -p1 -b .no-weak-verify
|
%patch38 -p1 -b .no-weak-verify
|
||||||
|
%patch39 -p1 -b .cc-reqs
|
||||||
%patch40 -p1 -b .disable-ssl3
|
%patch40 -p1 -b .disable-ssl3
|
||||||
%patch41 -p1 -b .system-cipherlist
|
%patch41 -p1 -b .system-cipherlist
|
||||||
%patch42 -p1 -b .fips
|
%patch42 -p1 -b .fips
|
||||||
%patch44 -p1 -b .version-override
|
%patch44 -p1 -b .preserve-nl
|
||||||
%patch45 -p1 -b .weak-ciphers
|
%patch45 -p1 -b .weak-ciphers
|
||||||
%patch46 -p1 -b .seclevel
|
%patch46 -p1 -b .silent-rnd-write
|
||||||
%patch47 -p1 -b .ts-sha256-default
|
|
||||||
%patch48 -p1 -b .fips-post-rand
|
|
||||||
%patch49 -p1 -b .evp-kdf
|
|
||||||
%patch50 -p1 -b .ssh-kdf
|
|
||||||
%patch51 -p1 -b .intel-cet
|
|
||||||
%patch52 -p1 -b .s390x-update
|
|
||||||
%patch53 -p1 -b .crng-test
|
|
||||||
%patch55 -p1 -b .arm-update
|
|
||||||
%patch56 -p1 -b .s390x-ecc
|
|
||||||
%patch60 -p1 -b .krb5-kdf
|
|
||||||
%patch61 -p1 -b .edk2-build
|
|
||||||
%patch62 -p1 -b .fips-curves
|
|
||||||
%patch65 -p1 -b .drbg-selftest
|
|
||||||
%patch66 -p1 -b .fips-dh
|
|
||||||
%patch67 -p1 -b .kdf-selftest
|
|
||||||
%patch69 -p1 -b .alpn-cb
|
|
||||||
%patch70 -p1 -b .rewire-fips-drbg
|
|
||||||
|
|
||||||
|
%patch70 -p1 -b .missing-quotes
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# Figure out which flags we want to use.
|
# Figure out which flags we want to use.
|
||||||
@ -251,7 +231,7 @@ sslarch=linux-generic64
|
|||||||
# marked as not requiring an executable stack.
|
# marked as not requiring an executable stack.
|
||||||
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
|
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
|
||||||
# want to depend on the uninitialized memory as a source of entropy anyway.
|
# want to depend on the uninitialized memory as a source of entropy anyway.
|
||||||
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
|
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
|
||||||
|
|
||||||
export HASHBANGPERL=/usr/bin/perl
|
export HASHBANGPERL=/usr/bin/perl
|
||||||
|
|
||||||
@ -265,8 +245,8 @@ export HASHBANGPERL=/usr/bin/perl
|
|||||||
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
||||||
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
|
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
|
||||||
enable-weak-ssl-ciphers \
|
enable-weak-ssl-ciphers \
|
||||||
no-mdc2 no-ec2m no-sm2 no-sm4 \
|
no-mdc2 no-ec2m \
|
||||||
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
|
shared ${sslarch} $RPM_OPT_FLAGS
|
||||||
|
|
||||||
# Do not run this in a production package the FIPS symbols must be patched-in
|
# Do not run this in a production package the FIPS symbols must be patched-in
|
||||||
#util/mkdef.pl crypto update
|
#util/mkdef.pl crypto update
|
||||||
@ -284,13 +264,6 @@ done
|
|||||||
%check
|
%check
|
||||||
# Verify that what was compiled actually works.
|
# Verify that what was compiled actually works.
|
||||||
|
|
||||||
# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
|
|
||||||
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
|
|
||||||
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
|
|
||||||
sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
|
|
||||||
touch -r configdata.pm configdata.pm.new && \
|
|
||||||
mv -f configdata.pm.new configdata.pm)
|
|
||||||
|
|
||||||
# We must revert patch31 before tests otherwise they will fail
|
# We must revert patch31 before tests otherwise they will fail
|
||||||
patch -p1 -R < %{PATCH31}
|
patch -p1 -R < %{PATCH31}
|
||||||
|
|
||||||
@ -302,8 +275,6 @@ crypto/fips/fips_standalone_hmac libssl.so.%{soversion} >.libssl.so.%{soversion}
|
|||||||
ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac
|
ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac
|
||||||
OPENSSL_ENABLE_MD5_VERIFY=
|
OPENSSL_ENABLE_MD5_VERIFY=
|
||||||
export OPENSSL_ENABLE_MD5_VERIFY
|
export OPENSSL_ENABLE_MD5_VERIFY
|
||||||
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
|
||||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
|
||||||
make test
|
make test
|
||||||
|
|
||||||
# Add generation of HMAC checksum of the final stripped library
|
# Add generation of HMAC checksum of the final stripped library
|
||||||
@ -322,8 +293,8 @@ make test
|
|||||||
%install
|
%install
|
||||||
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
|
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
|
||||||
# Install OpenSSL.
|
# Install OpenSSL.
|
||||||
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
|
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl}
|
||||||
%make_install
|
make DESTDIR=$RPM_BUILD_ROOT install
|
||||||
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
|
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
|
||||||
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
|
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
|
||||||
chmod 755 ${lib}
|
chmod 755 ${lib}
|
||||||
@ -334,7 +305,7 @@ done
|
|||||||
# Install a makefile for generating keys and self-signed certs, and a script
|
# Install a makefile for generating keys and self-signed certs, and a script
|
||||||
# for generating them on the fly.
|
# for generating them on the fly.
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
|
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
|
||||||
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
|
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile
|
||||||
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
|
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
|
||||||
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
|
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
|
||||||
|
|
||||||
@ -342,6 +313,13 @@ install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
|
|||||||
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
|
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
|
||||||
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
|
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
|
||||||
|
|
||||||
|
# Make sure we actually include the headers we built against.
|
||||||
|
for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do
|
||||||
|
if [ -f ${header} -a -f include/openssl/$(basename ${header}) ] ; then
|
||||||
|
install -m644 include/openssl/`basename ${header}` ${header}
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
# Rename man pages so that they don't conflict with other system man pages.
|
# Rename man pages so that they don't conflict with other system man pages.
|
||||||
pushd $RPM_BUILD_ROOT%{_mandir}
|
pushd $RPM_BUILD_ROOT%{_mandir}
|
||||||
ln -s -f config.5 man5/openssl.cnf.5
|
ln -s -f config.5 man5/openssl.cnf.5
|
||||||
@ -356,11 +334,6 @@ for manpage in man*/* ; do
|
|||||||
done
|
done
|
||||||
for conflict in passwd rand ; do
|
for conflict in passwd rand ; do
|
||||||
rename ${conflict} ssl${conflict} man*/${conflict}*
|
rename ${conflict} ssl${conflict} man*/${conflict}*
|
||||||
# Fix dangling symlinks
|
|
||||||
manpage=man1/openssl-${conflict}.*
|
|
||||||
if [ -L ${manpage} ] ; then
|
|
||||||
ln -snf ssl${conflict}.1ssl ${manpage}
|
|
||||||
fi
|
|
||||||
done
|
done
|
||||||
popd
|
popd
|
||||||
|
|
||||||
@ -370,13 +343,11 @@ mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
|
|||||||
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
|
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
|
||||||
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
|
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
|
||||||
|
|
||||||
# Ensure the config file timestamps are identical across builds to avoid
|
# Ensure the openssl.cnf timestamp is identical across builds to avoid
|
||||||
# mulitlib conflicts and unnecessary renames on upgrade
|
# mulitlib conflicts and unnecessary renames on upgrade
|
||||||
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
|
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
|
||||||
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
|
|
||||||
|
|
||||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
|
||||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
|
|
||||||
|
|
||||||
# Determine which arch opensslconf.h is going to try to #include.
|
# Determine which arch opensslconf.h is going to try to #include.
|
||||||
basearch=%{_arch}
|
basearch=%{_arch}
|
||||||
@ -390,13 +361,6 @@ basearch=sparc
|
|||||||
basearch=sparc64
|
basearch=sparc64
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Next step of gradual disablement of SSL3.
|
|
||||||
# Make SSL3 disappear to newly built dependencies.
|
|
||||||
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
|
|
||||||
#ifndef OPENSSL_NO_SSL3\
|
|
||||||
# define OPENSSL_NO_SSL3\
|
|
||||||
#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
|
|
||||||
|
|
||||||
%ifarch %{multilib_arches}
|
%ifarch %{multilib_arches}
|
||||||
# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
|
# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
|
||||||
# can have both a 32- and 64-bit version of the library, and they each need
|
# can have both a 32- and 64-bit version of the library, and they each need
|
||||||
@ -411,22 +375,23 @@ install -m644 %{SOURCE9} \
|
|||||||
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
|
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
|
||||||
export LD_LIBRARY_PATH
|
export LD_LIBRARY_PATH
|
||||||
|
|
||||||
|
%clean
|
||||||
|
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%{!?_licensedir:%global license %%doc}
|
%{!?_licensedir:%global license %%doc}
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%doc FAQ NEWS README README.FIPS
|
%doc FAQ NEWS README README.FIPS
|
||||||
%{_bindir}/make-dummy-cert
|
%{_bindir}/make-dummy-cert
|
||||||
%{_bindir}/renew-dummy-cert
|
%{_bindir}/renew-dummy-cert
|
||||||
|
%{_sysconfdir}/pki/tls/certs/Makefile
|
||||||
%{_bindir}/openssl
|
%{_bindir}/openssl
|
||||||
%{_mandir}/man1*/*
|
%{_mandir}/man1*/*
|
||||||
%{_mandir}/man5*/*
|
%{_mandir}/man5*/*
|
||||||
%{_mandir}/man7*/*
|
%{_mandir}/man7*/*
|
||||||
%{_pkgdocdir}/Makefile.certificate
|
|
||||||
%exclude %{_mandir}/man1*/*.pl*
|
%exclude %{_mandir}/man1*/*.pl*
|
||||||
%exclude %{_mandir}/man1*/c_rehash*
|
%exclude %{_mandir}/man1*/c_rehash*
|
||||||
%exclude %{_mandir}/man1*/openssl-c_rehash*
|
|
||||||
%exclude %{_mandir}/man1*/tsget*
|
%exclude %{_mandir}/man1*/tsget*
|
||||||
%exclude %{_mandir}/man1*/openssl-tsget*
|
|
||||||
|
|
||||||
%files libs
|
%files libs
|
||||||
%{!?_licensedir:%global license %%doc}
|
%{!?_licensedir:%global license %%doc}
|
||||||
@ -436,7 +401,6 @@ export LD_LIBRARY_PATH
|
|||||||
%dir %{_sysconfdir}/pki/tls/misc
|
%dir %{_sysconfdir}/pki/tls/misc
|
||||||
%dir %{_sysconfdir}/pki/tls/private
|
%dir %{_sysconfdir}/pki/tls/private
|
||||||
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
|
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
|
||||||
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
|
|
||||||
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
|
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
|
||||||
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
|
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
|
||||||
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
|
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
|
||||||
@ -461,254 +425,26 @@ export LD_LIBRARY_PATH
|
|||||||
%{_bindir}/tsget
|
%{_bindir}/tsget
|
||||||
%{_mandir}/man1*/*.pl*
|
%{_mandir}/man1*/*.pl*
|
||||||
%{_mandir}/man1*/c_rehash*
|
%{_mandir}/man1*/c_rehash*
|
||||||
%{_mandir}/man1*/openssl-c_rehash*
|
|
||||||
%{_mandir}/man1*/tsget*
|
%{_mandir}/man1*/tsget*
|
||||||
%{_mandir}/man1*/openssl-tsget*
|
|
||||||
%dir %{_sysconfdir}/pki/CA
|
%dir %{_sysconfdir}/pki/CA
|
||||||
%dir %{_sysconfdir}/pki/CA/private
|
%dir %{_sysconfdir}/pki/CA/private
|
||||||
%dir %{_sysconfdir}/pki/CA/certs
|
%dir %{_sysconfdir}/pki/CA/certs
|
||||||
%dir %{_sysconfdir}/pki/CA/crl
|
%dir %{_sysconfdir}/pki/CA/crl
|
||||||
%dir %{_sysconfdir}/pki/CA/newcerts
|
%dir %{_sysconfdir}/pki/CA/newcerts
|
||||||
|
|
||||||
%ldconfig_scriptlets libs
|
%post libs -p /sbin/ldconfig
|
||||||
|
|
||||||
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1
|
|
||||||
- Upgrade to version 1.1.1.h
|
|
||||||
|
|
||||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1g-15
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 1:1.1.1g-14
|
|
||||||
- Use make macros
|
|
||||||
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
|
||||||
|
|
||||||
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-13
|
|
||||||
- Additional FIPS mode check for EC key generation
|
|
||||||
|
|
||||||
* Fri Jul 17 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-12
|
|
||||||
- Further changes for SP 800-56A rev3 requirements
|
|
||||||
|
|
||||||
* Mon Jun 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-11
|
|
||||||
- Drop long ago obsolete part of the FIPS patch
|
|
||||||
|
|
||||||
* Mon Jun 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-10
|
|
||||||
- Rewire FIPS_drbg API to use the RAND_DRBG
|
|
||||||
|
|
||||||
* Fri Jun 5 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-9
|
|
||||||
- Disallow dropping Extended Master Secret extension
|
|
||||||
on renegotiation
|
|
||||||
- Return alert from s_server if ALPN protocol does not match
|
|
||||||
- SHA1 is allowed in @SECLEVEL=2 only if allowed by
|
|
||||||
TLS SigAlgs configuration
|
|
||||||
|
|
||||||
* Wed Jun 3 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-8
|
|
||||||
- Add FIPS selftest for PBKDF2 and KBKDF
|
|
||||||
|
|
||||||
* Tue May 26 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-7
|
|
||||||
- Use the well known DH groups in TLS
|
|
||||||
|
|
||||||
* Mon May 25 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-6
|
|
||||||
- Allow only well known DH groups in the FIPS mode
|
|
||||||
|
|
||||||
* Thu May 21 2020 Adam Williamson <awilliam@redhat.com> - 1.1.1g-5
|
|
||||||
- Re-apply the change from -2 now we have fixed nosync to work with it
|
|
||||||
|
|
||||||
* Tue May 19 2020 Adam Williamson <awilliam@redhat.com> - 1.1.1g-4
|
|
||||||
- Revert the change from -2 as it seems to cause segfaults in systemd
|
|
||||||
|
|
||||||
* Mon May 18 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-3
|
|
||||||
- pull some fixes and improvements from RHEL-8
|
|
||||||
|
|
||||||
* Fri May 15 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-2
|
|
||||||
- FIPS module installed state definition is modified
|
|
||||||
|
|
||||||
* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1
|
|
||||||
- update to the 1.1.1g release
|
|
||||||
|
|
||||||
* Tue Apr 7 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1f-1
|
|
||||||
- update to the 1.1.1f release
|
|
||||||
|
|
||||||
* Thu Mar 26 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1e-2
|
|
||||||
- revert the unexpected EOF error reporting change as it is
|
|
||||||
too disruptive for the stable release branch
|
|
||||||
|
|
||||||
* Fri Mar 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1e-1
|
|
||||||
- update to the 1.1.1e release
|
|
||||||
- add selftest of the RAND_DRBG implementation
|
|
||||||
- fix incorrect error return value from FIPS_selftest_dsa
|
|
||||||
|
|
||||||
* Mon Feb 17 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-7
|
|
||||||
- apply Intel CET support patches by hjl (#1788699)
|
|
||||||
|
|
||||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1d-6
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Nov 21 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-5
|
|
||||||
- allow zero length parameters in KDF_CTX_ctrl()
|
|
||||||
|
|
||||||
* Thu Nov 14 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-4
|
|
||||||
- backport of SSKDF from master
|
|
||||||
|
|
||||||
* Wed Nov 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-3
|
|
||||||
- backport of KBKDF and KRB5KDF from master
|
|
||||||
|
|
||||||
* Thu Oct 3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-2
|
|
||||||
- re-enable the stitched AES-CBC-SHA implementations
|
|
||||||
- make AES-GCM work in FIPS mode again
|
|
||||||
- enable TLS-1.2 AES-CCM ciphers in FIPS mode
|
|
||||||
- fix openssl speed errors in FIPS mode
|
|
||||||
|
|
||||||
* Fri Sep 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1d-1
|
|
||||||
- update to the 1.1.1d release
|
|
||||||
|
|
||||||
* Fri Sep 6 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-6
|
|
||||||
- upstream fix for status request extension non-compliance (#1737471)
|
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1c-5
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
|
||||||
|
|
||||||
* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-4
|
|
||||||
- do not try to use EC groups disallowed in FIPS mode
|
|
||||||
in TLS
|
|
||||||
- fix Valgrind regression with constant-time code
|
|
||||||
|
|
||||||
* Mon Jun 3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-3
|
|
||||||
- add upstream patch to defer sending KeyUpdate after
|
|
||||||
pending writes are complete
|
|
||||||
|
|
||||||
* Thu May 30 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-2
|
|
||||||
- fix use of uninitialized memory
|
|
||||||
|
|
||||||
* Wed May 29 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-1
|
|
||||||
- update to the 1.1.1c release
|
|
||||||
|
|
||||||
* Fri May 10 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-10
|
|
||||||
- Another attempt at the AES-CCM regression fix
|
|
||||||
|
|
||||||
* Fri May 10 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-9
|
|
||||||
- Fix two small regressions
|
|
||||||
- Change the ts application default hash to SHA256
|
|
||||||
|
|
||||||
* Tue May 7 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-8
|
|
||||||
- FIPS compliance fixes
|
|
||||||
|
|
||||||
* Mon May 6 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-7
|
|
||||||
- add S390x chacha20-poly1305 assembler support from master branch
|
|
||||||
|
|
||||||
* Fri May 3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-6
|
|
||||||
- apply new bugfixes from upstream 1.1.1 branch
|
|
||||||
|
|
||||||
* Tue Apr 16 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-5
|
|
||||||
- fix for BIO_get_mem_ptr() regression in 1.1.1b (#1691853)
|
|
||||||
|
|
||||||
* Wed Mar 27 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-4
|
|
||||||
- drop unused BuildRequires and Requires in the -devel subpackage
|
|
||||||
|
|
||||||
* Fri Mar 15 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-3
|
|
||||||
- fix regression in EVP_PBE_scrypt() (#1688284)
|
|
||||||
- fix incorrect help message in ca app (#1553206)
|
|
||||||
|
|
||||||
* Fri Mar 1 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-2
|
|
||||||
- use .include = syntax in the config file to allow it
|
|
||||||
to be parsed by 1.0.2 version (#1668916)
|
|
||||||
|
|
||||||
* Thu Feb 28 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-1
|
|
||||||
- update to the 1.1.1b release
|
|
||||||
- EVP_KDF API backport from master
|
|
||||||
- SSH KDF implementation for EVP_KDF API backport from master
|
|
||||||
|
|
||||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1a-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jan 15 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1a-1
|
|
||||||
- update to the 1.1.1a release
|
|
||||||
|
|
||||||
* Fri Nov 9 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-7
|
|
||||||
- use /dev/urandom for seeding the RNG in FIPS POST
|
|
||||||
|
|
||||||
* Fri Oct 12 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-6
|
|
||||||
- fix SECLEVEL 3 support
|
|
||||||
- fix some issues found in Coverity scan
|
|
||||||
|
|
||||||
* Thu Sep 27 2018 Charalampos Stratakis <cstratak@redhat.com> - 1:1.1.1-5
|
|
||||||
- Correctly invoke sed for defining OPENSSL_NO_SSL3
|
|
||||||
|
|
||||||
* Thu Sep 27 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-4
|
|
||||||
- define OPENSSL_NO_SSL3 so the newly built dependencies do not
|
|
||||||
have access to SSL3 API calls anymore
|
|
||||||
|
|
||||||
* Mon Sep 17 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-3
|
|
||||||
- reinstate accidentally dropped patch for weak ciphersuites
|
|
||||||
|
|
||||||
* Fri Sep 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-2
|
|
||||||
- for consistent support of security policies we build
|
|
||||||
RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
|
|
||||||
|
|
||||||
* Thu Sep 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-1
|
|
||||||
- update to the final 1.1.1 version
|
|
||||||
|
|
||||||
* Thu Sep 6 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.3
|
|
||||||
- do not try to initialize RNG in cleanup if it was not initialized
|
|
||||||
before (#1624554)
|
|
||||||
- use only /dev/urandom if getrandom() is not available
|
|
||||||
- disable SM4
|
|
||||||
|
|
||||||
* Wed Aug 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.2
|
|
||||||
- fix dangling symlinks to manual pages
|
|
||||||
- make SSLv3_method work
|
|
||||||
|
|
||||||
* Wed Aug 22 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.1
|
|
||||||
- update to the latest 1.1.1 beta version
|
|
||||||
|
|
||||||
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.4
|
|
||||||
- bidirectional shutdown fixes from upstream
|
|
||||||
|
|
||||||
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.3
|
|
||||||
- do not put error on stack when using fixed protocol version
|
|
||||||
with the default config (#1615098)
|
|
||||||
|
|
||||||
* Fri Jul 27 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.2
|
|
||||||
- load crypto policy config file from the default config
|
|
||||||
|
|
||||||
* Wed Jul 25 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8
|
|
||||||
- update to the latest 1.1.1 beta version
|
|
||||||
|
|
||||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0h-6
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Jun 19 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-5
|
|
||||||
- fix FIPS RSA key generation failure
|
|
||||||
|
|
||||||
* Mon Jun 4 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-4
|
|
||||||
- ppc64le is not multilib arch (#1584994)
|
|
||||||
|
|
||||||
* Tue Apr 3 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-3
|
* Tue Apr 3 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-3
|
||||||
- fix regression of c_rehash (#1562953)
|
- fix regression of c_rehash (#1562953)
|
||||||
|
|
||||||
* Thu Mar 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-2
|
|
||||||
- fix FIPS symbol versions
|
|
||||||
|
|
||||||
* Thu Mar 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-1
|
* Thu Mar 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-1
|
||||||
- update to upstream version 1.1.0h
|
- update to upstream version 1.1.0h
|
||||||
- add Recommends for openssl-pkcs11
|
|
||||||
|
|
||||||
* Fri Feb 23 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-6
|
|
||||||
- one more try to apply RPM_LD_FLAGS properly (#1541033)
|
|
||||||
- dropped unneeded starttls xmpp patch (#1417017)
|
|
||||||
|
|
||||||
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0g-5
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Feb 1 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-4
|
|
||||||
- apply RPM_LD_FLAGS properly (#1541033)
|
- apply RPM_LD_FLAGS properly (#1541033)
|
||||||
|
|
||||||
* Thu Jan 11 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-3
|
|
||||||
- silence the .rnd write failure as that is auxiliary functionality (#1524833)
|
- silence the .rnd write failure as that is auxiliary functionality (#1524833)
|
||||||
|
|
||||||
* Thu Dec 14 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-2
|
|
||||||
- put the Makefile.certificate in pkgdocdir and drop the requirement on make
|
|
||||||
|
|
||||||
* Fri Nov 3 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-1
|
* Fri Nov 3 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-1
|
||||||
- update to upstream version 1.1.0g
|
- update to upstream version 1.1.0g
|
||||||
|
|
||||||
|
@ -18,13 +18,16 @@ if [ ! -f $PEM ]; then
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
let -a SERIAL=0x$(openssl x509 -in $PEM -noout -serial | cut -d= -f2)
|
||||||
|
let SERIAL++
|
||||||
|
|
||||||
umask 077
|
umask 077
|
||||||
|
|
||||||
OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
|
OWNER=`ls -l $PEM | awk '{ printf "%s.%s", $3, $4; }'`
|
||||||
|
|
||||||
openssl rsa -inform pem -in $PEM -out $KEY
|
openssl rsa -inform pem -in $PEM -out $KEY
|
||||||
openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
|
openssl x509 -x509toreq -in $PEM -signkey $KEY -out $REQ
|
||||||
openssl x509 -req -in $REQ -signkey $KEY -days 365 \
|
openssl x509 -req -in $REQ -signkey $KEY -set_serial $SERIAL -days 365 \
|
||||||
-extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
|
-extfile /etc/pki/tls/openssl.cnf -extensions v3_ca -out $CRT
|
||||||
|
|
||||||
(cat $KEY ; echo "" ; cat $CRT) > $NEW
|
(cat $KEY ; echo "" ; cat $CRT) > $NEW
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908
|
SHA512 (openssl-1.1.0h-hobbled.tar.xz) = cba4641956d6593f5cf5164bed12fb3acfaa9c24a69d5642cc0267d0918555450a12ddeac6e02b246afa64e7019f35baa0d9302d1f06e3be5555d8340319c5e4
|
||||||
|
@ -1,63 +0,0 @@
|
|||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/openssl/Sanity/simple-rsapss-test
|
|
||||||
# Description: Test if RSA-PSS signature scheme is supported
|
|
||||||
# Author: Hubert Kario <hkario@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
export TEST=/CoreOS/openssl/Sanity/simple-rsapss-test
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
|
|
||||||
BUILT_FILES=
|
|
||||||
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
||||||
|
|
||||||
.PHONY: all install download clean
|
|
||||||
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
test -x runtest.sh || chmod a+x runtest.sh
|
|
||||||
|
|
||||||
clean:
|
|
||||||
rm -f *~ $(BUILT_FILES)
|
|
||||||
|
|
||||||
|
|
||||||
-include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: Test if RSA-PSS signature scheme is supported" >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 1m" >> $(METADATA)
|
|
||||||
@echo "RunFor: openssl" >> $(METADATA)
|
|
||||||
@echo "Requires: openssl man man-db" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,3 +0,0 @@
|
|||||||
PURPOSE of /CoreOS/openssl/Sanity/simple-rsapss-test
|
|
||||||
Description: Test if RSA-PSS signature scheme is supported
|
|
||||||
Author: Hubert Kario <hkario@redhat.com>
|
|
@ -1,74 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# runtest.sh of /CoreOS/openssl/Sanity/simple-rsapss-test
|
|
||||||
# Description: Test if RSA-PSS signature scheme is supported
|
|
||||||
# Author: Hubert Kario <hkario@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
# Include Beaker environment
|
|
||||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
|
||||||
|
|
||||||
PACKAGE="openssl"
|
|
||||||
|
|
||||||
PUB_KEY="rsa_pubkey.pem"
|
|
||||||
PRIV_KEY="rsa_key.pem"
|
|
||||||
FILE="text.txt"
|
|
||||||
SIG="text.sig"
|
|
||||||
|
|
||||||
rlJournalStart
|
|
||||||
rlPhaseStartSetup
|
|
||||||
rlAssertRpm $PACKAGE
|
|
||||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
|
||||||
rlRun "pushd $TmpDir"
|
|
||||||
rlRun "openssl genrsa -out $PRIV_KEY 2048" 0 "Generate RSA key"
|
|
||||||
rlRun "openssl rsa -in $PRIV_KEY -out $PUB_KEY -pubout" 0 "Split the public key from private key"
|
|
||||||
rlRun "echo 'sign me!' > $FILE" 0 "Create file for signing"
|
|
||||||
rlAssertExists $FILE
|
|
||||||
rlAssertExists $PRIV_KEY
|
|
||||||
rlAssertExists $PUB_KEY
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Test RSA-PSS padding mode"
|
|
||||||
set -o pipefail
|
|
||||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -out $SIG -sign $PRIV_KEY $FILE" 0 "Sign the file"
|
|
||||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file"
|
|
||||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file"
|
|
||||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file without specifying salt length"
|
|
||||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file without specifying salt length"
|
|
||||||
set +o pipefail
|
|
||||||
rlRun "sed -i 's/sign/Sign/' $FILE" 0 "Modify signed file"
|
|
||||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verification Failure'" 0 "Verify that the signature is no longer valid"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartTest "Documentation check"
|
|
||||||
[ -e "$(rpm -ql openssl | grep dgst)"] && rlRun "man dgst | col -b | grep -- -sigopt" 0 "Check if -sigopt option is described in man page"
|
|
||||||
rlRun "openssl dgst -help 2>&1 | grep -- -sigopt" 0 "Check if -sigopt option is present in help message"
|
|
||||||
rlPhaseEnd
|
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
|
||||||
rlRun "popd"
|
|
||||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
|
||||||
rlPhaseEnd
|
|
||||||
rlJournalPrintText
|
|
||||||
rlJournalEnd
|
|
@ -1,15 +0,0 @@
|
|||||||
---
|
|
||||||
# This first play always runs on the local staging system
|
|
||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- role: standard-test-beakerlib
|
|
||||||
tags:
|
|
||||||
- classic
|
|
||||||
- container
|
|
||||||
tests:
|
|
||||||
- simple-rsapss-test
|
|
||||||
required_packages:
|
|
||||||
- findutils # beakerlib needs find command
|
|
||||||
- man # needed by simple-rsapss-test
|
|
||||||
- man-db # needed by simple-rsapss-test
|
|
||||||
- openssl # needed by simple-rsapss-test
|
|
@ -1,18 +0,0 @@
|
|||||||
---
|
|
||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- role: standard-test-basic
|
|
||||||
tags:
|
|
||||||
- classic
|
|
||||||
repositories:
|
|
||||||
- repo: "https://src.fedoraproject.org/tests/python.git"
|
|
||||||
dest: "python"
|
|
||||||
tests:
|
|
||||||
- python_selftest:
|
|
||||||
dir: python/selftest
|
|
||||||
run: X="test_ssl test_asyncio test_hashlib test_ftplib test_httplib test_imaplib test_logging test_nntplib test_poplib test_urllib2_localnet test_urllib test_xmlrpc" ./parallel.sh
|
|
||||||
required_packages:
|
|
||||||
- gcc # for extension building in venv and selftest
|
|
||||||
- python3-tkinter # for selftest
|
|
||||||
- python3-test # for selftest
|
|
||||||
- python3-rpm-macros # for dynamic python version
|
|
Loading…
Reference in New Issue
Block a user