Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Leap:15.2 checked in at 2020-03-20 05:52:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/openssl-1_1 (Old) and /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.3160 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_1" Fri Mar 20 05:52:26 2020 rev:33 rq:782184 version:1.1.1d Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/openssl-1_1/openssl-1_1.changes 2020-01-19 15:47:02.249686658 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.openssl-1_1.new.3160/openssl-1_1.changes 2020-03-20 05:52:30.420047520 +0100 @@ -1,0 +2,77 @@ +Wed Mar 4 08:23:23 UTC 2020 - Vítězslav Čížek <[email protected]> + +- Limit the DRBG selftests to not deplete entropy (bsc#1165274) + * update openssl-fips_selftest_upstream_drbg.patch + +------------------------------------------------------------------- +Wed Feb 26 13:28:14 UTC 2020 - Vítězslav Čížek <[email protected]> + +- Run FIPS DRBG selftests against the crypto/rand DRBG implementation + (bsc#1164557) + * add openssl-fips_selftest_upstream_drbg.patch + +------------------------------------------------------------------- +Fri Feb 21 08:03:05 UTC 2020 - Vítězslav Čížek <[email protected]> + +- Use the newly build libcrypto shared library when computing the hmac + checksums in order to avoid a bootstrapping issue by BuildRequiring + libopenssl1_1 (bsc#1164102) + +------------------------------------------------------------------- +Thu Feb 13 10:57:45 UTC 2020 - Vítězslav Čížek <[email protected]> + +- Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569) + * add openssl-fips_fix_selftests_return_value.patch + +------------------------------------------------------------------- +Wed Feb 12 21:14:27 UTC 2020 - Jason Sikes <[email protected]> + +- Added SHA3 FIPS self-tests bsc#1155345 + * openssl-fips-add-SHA3-selftest.patch + +------------------------------------------------------------------- +Tue Jan 28 12:14:59 UTC 2020 - Pedro Monreal Gonzalez <[email protected]> + +- Support for CPACF enhancements - part 2 (crypto) [jsc#SLE-7403] +- Add patches: + * openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch + * openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch + +------------------------------------------------------------------- +Thu Jan 23 14:32:28 UTC 2020 - Vítězslav Čížek <[email protected]> + +- Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our + layered FIPS initialization (bsc#1161789) + * openssl-fips-ignore_broken_atexit_test.patch + +------------------------------------------------------------------- +Wed Jan 22 13:59:15 UTC 2020 - Vítězslav Čížek <[email protected]> + +- Import FIPS patches from SLE-15 + * openssl-fips-dont_run_FIPS_module_installed.patch + * openssl-fips_mode.patch + * openssl-ship_fips_standalone_hmac.patch + * openssl-fips-clearerror.patch + * openssl-fips-selftests_in_nonfips_mode.patch + +------------------------------------------------------------------- +Tue Jan 21 16:08:21 UTC 2020 - Vítězslav Čížek <[email protected]> + +- Don't run FIPS power-up self-tests when the checksum files aren't + installed (bsc#1042392) + * add openssl-fips-run_selftests_only_when_module_is_complete.patch + +------------------------------------------------------------------- +Tue Jan 21 11:10:42 UTC 2020 - Vítězslav Čížek <[email protected]> + +- Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) + * openssl-1.1.1-fips-crng-test.patch + * openssl-1.1.1-fips-post-rand.patch + * openssl-1.1.1-fips.patch + * openssl-1.1.0-issuer-hash.patch + * openssl-1.1.1-evp-kdf.patch + * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch +- keep EVP_KDF functions at version 1.1.1d for backward compatibility + * add openssl-keep_EVP_KDF_functions_version.patch + +------------------------------------------------------------------- Old: ---- openssl-jsc-SLE-8789-backport_KDF.patch New: ---- openssl-1.1.0-issuer-hash.patch openssl-1.1.1-evp-kdf.patch openssl-1.1.1-fips-crng-test.patch openssl-1.1.1-fips-post-rand.patch openssl-1.1.1-fips.patch openssl-1.1.1-ssh-kdf.patch openssl-fips-add-SHA3-selftest.patch openssl-fips-clearerror.patch openssl-fips-dont_run_FIPS_module_installed.patch openssl-fips-ignore_broken_atexit_test.patch openssl-fips-run_selftests_only_when_module_is_complete.patch openssl-fips-selftests_in_nonfips_mode.patch openssl-fips_fix_selftests_return_value.patch openssl-fips_mode.patch openssl-fips_selftest_upstream_drbg.patch openssl-keep_EVP_KDF_functions_version.patch openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch openssl-ship_fips_standalone_hmac.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-1_1.spec ++++++ --- /var/tmp/diff_new_pack.W4dEKE/_old 2020-03-20 05:52:32.324048789 +0100 +++ /var/tmp/diff_new_pack.W4dEKE/_new 2020-03-20 05:52:32.324048789 +0100 @@ -1,7 +1,7 @@ # # spec file for package openssl-1_1 # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -50,7 +50,6 @@ Patch11: 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch Patch12: 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch Patch13: 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch -Patch14: openssl-jsc-SLE-8789-backport_KDF.patch # OpenSSL Security Advisory [6 December 2019] bsc#1158809 CVE-2019-1551 # PATCH-FIX-UPSTREAM Integer overflow in RSAZ modular exponentiation on x86_64 Patch15: openssl-1_1-CVE-2019-1551.patch @@ -68,6 +67,27 @@ Patch26: openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch Patch27: openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch Patch28: openssl-Fix-9bf682f-which-broke-nistp224_method.patch +# FIPS patches +Patch30: openssl-1.1.1-fips.patch +Patch31: openssl-1.1.1-fips-post-rand.patch +Patch32: openssl-1.1.1-fips-crng-test.patch +Patch33: openssl-1.1.0-issuer-hash.patch +Patch34: openssl-fips-run_selftests_only_when_module_is_complete.patch +Patch35: openssl-ship_fips_standalone_hmac.patch +Patch36: openssl-fips_mode.patch +Patch37: openssl-1.1.1-evp-kdf.patch +Patch38: openssl-1.1.1-ssh-kdf.patch +Patch39: openssl-fips-dont_run_FIPS_module_installed.patch +Patch40: openssl-fips-selftests_in_nonfips_mode.patch +Patch41: openssl-fips-clearerror.patch +Patch42: openssl-fips-ignore_broken_atexit_test.patch +Patch43: openssl-keep_EVP_KDF_functions_version.patch +Patch44: openssl-fips_fix_selftests_return_value.patch +Patch45: openssl-fips-add-SHA3-selftest.patch +Patch46: openssl-fips_selftest_upstream_drbg.patch +# PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto) +Patch50: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch +Patch51: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch BuildRequires: pkgconfig Conflicts: ssl Provides: ssl @@ -85,6 +105,7 @@ %package -n libopenssl1_1 Summary: Secure Sockets and Transport Layer Security +License: OpenSSL Group: Productivity/Networking/Security Recommends: ca-certificates-mozilla # install libopenssl and libopenssl-hmac close together (bsc#1090765) @@ -100,6 +121,7 @@ %package -n libopenssl-1_1-devel Summary: Development files for OpenSSL +License: OpenSSL Group: Development/Libraries/C and C++ Requires: libopenssl1_1 = %{version} Recommends: %{name} = %{version} @@ -133,6 +155,7 @@ %package doc Summary: Additional Package Documentation +License: OpenSSL Group: Productivity/Networking/Security Conflicts: openssl-doc Provides: openssl-doc = %{version} @@ -205,7 +228,6 @@ # avoid file conflicts with man pages from other packages # -set +x pushd %{buildroot}/%{_mandir} # some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check. # replace spaces by underscores @@ -229,19 +251,45 @@ esac done popd -set -x # Do not install demo scripts executable under /usr/share/doc find demos -type f -perm /111 -exec chmod 644 {} \; -# Place showciphers.c for %doc macro +# Place showciphers.c for %%doc macro cp %{SOURCE5} . -# Create dummy hmac hashes. They're not used anymore since -# the FIPS stuff was removed, but let's keep the package -# for compatibility -touch %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac -touch %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac +# the hmac hashes: +# +# this is a hack that re-defines the __os_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. +# +# this shows up earlier because otherwise the %expand of +# the macro is too late. +# remark: This is the same as running +# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs' +%{expand:%%global __os_install_post {%__os_install_post + +# Point linker to the newly installed libcrypto in order to avoid BuildRequiring itself (libopenssl1_1) +export LD_LIBRARY_PATH="%{buildroot}%{_libdir}" + +%{buildroot}%{_bindir}/fips_standalone_hmac \ + %{buildroot}%{_libdir}/libssl.so.%{maj_min} > \ + %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac + +# As fips_standalone_hmac now uses the very same library it checksums, +# the libcrypto hmac needs to be saved to a temporary file, otherwise +# the library will detect the empty hmac and abort due to a wrong checksum +%{buildroot}%{_bindir}/fips_standalone_hmac \ + %{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \ + %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac + +# rename the temporary checksum to its proper name +mv %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac +unset LD_LIBRARY_PATH + +}} %post -n libopenssl1_1 -p /sbin/ldconfig %postun -n libopenssl1_1 -p /sbin/ldconfig @@ -280,6 +328,7 @@ %dir %{_datadir}/ssl %{_datadir}/ssl/misc %{_bindir}/c_rehash +%{_bindir}/fips_standalone_hmac %{_bindir}/%{_rname} %changelog ++++++ openssl-1.1.0-issuer-hash.patch ++++++ Index: openssl-1.1.1d/crypto/x509/x509_cmp.c =================================================================== --- openssl-1.1.1d.orig/crypto/x509/x509_cmp.c 2019-09-10 15:13:07.000000000 +0200 +++ openssl-1.1.1d/crypto/x509/x509_cmp.c 2020-01-23 13:45:11.404634047 +0100 @@ -38,6 +38,7 @@ unsigned long X509_issuer_and_serial_has if (ctx == NULL) goto err; + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) goto err; ++++++ openssl-1.1.1-evp-kdf.patch ++++++ ++++ 5279 lines (skipped) ++++++ openssl-1.1.1-fips-crng-test.patch ++++++ Index: openssl-1.1.1d/crypto/include/internal/rand_int.h =================================================================== --- openssl-1.1.1d.orig/crypto/include/internal/rand_int.h 2020-01-23 13:45:11.368633835 +0100 +++ openssl-1.1.1d/crypto/include/internal/rand_int.h 2020-01-23 13:45:11.384633930 +0100 @@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out); +/* CRNG test entropy filter callbacks. */ +size_t rand_crngt_get_entropy(RAND_DRBG *drbg, + unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance); +void rand_crngt_cleanup_entropy(RAND_DRBG *drbg, + unsigned char *out, size_t outlen); + /* * RAND_POOL functions */ Index: openssl-1.1.1d/crypto/rand/build.info =================================================================== --- openssl-1.1.1d.orig/crypto/rand/build.info 2019-09-10 15:13:07.000000000 +0200 +++ openssl-1.1.1d/crypto/rand/build.info 2020-01-23 13:45:11.384633930 +0100 @@ -1,4 +1,4 @@ LIBS=../../libcrypto SOURCE[../../libcrypto]=\ - randfile.c rand_lib.c rand_err.c rand_egd.c \ + randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c Index: openssl-1.1.1d/crypto/rand/drbg_lib.c =================================================================== --- openssl-1.1.1d.orig/crypto/rand/drbg_lib.c 2020-01-23 13:45:11.368633835 +0100 +++ openssl-1.1.1d/crypto/rand/drbg_lib.c 2020-01-23 13:45:11.384633930 +0100 @@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg; /* NIST SP 800-90A DRBG recommends the use of a personalization string. */ -static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG"; +static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING; static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT; @@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu drbg->parent = parent; if (parent == NULL) { +#ifdef OPENSSL_FIPS + drbg->get_entropy = rand_crngt_get_entropy; + drbg->cleanup_entropy = rand_crngt_cleanup_entropy; +#else drbg->get_entropy = rand_drbg_get_entropy; drbg->cleanup_entropy = rand_drbg_cleanup_entropy; +#endif #ifndef RAND_DRBG_GET_RANDOM_NONCE drbg->get_nonce = rand_drbg_get_nonce; drbg->cleanup_nonce = rand_drbg_cleanup_nonce; Index: openssl-1.1.1d/crypto/rand/rand_crng_test.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1d/crypto/rand/rand_crng_test.c 2020-01-23 13:45:11.384633930 +0100 @@ -0,0 +1,118 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests. + */ + +#include <string.h> +#include <openssl/evp.h> +#include "internal/rand_int.h" +#include "internal/thread_once.h" +#include "rand_lcl.h" + +static RAND_POOL *crngt_pool; +static unsigned char crngt_prev[EVP_MAX_MD_SIZE]; + +int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *) + = &rand_crngt_get_entropy_cb; + +int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md, + unsigned int *md_size) +{ + int r; + size_t n; + unsigned char *p; + + n = rand_pool_acquire_entropy(crngt_pool); + if (n >= CRNGT_BUFSIZ) { + p = rand_pool_detach(crngt_pool); + r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL); + if (r != 0) + memcpy(buf, p, CRNGT_BUFSIZ); + rand_pool_reattach(crngt_pool, p); + return r; + } + return 0; +} + +void rand_crngt_cleanup(void) +{ + rand_pool_free(crngt_pool); + crngt_pool = NULL; +} + +int rand_crngt_init(void) +{ + unsigned char buf[CRNGT_BUFSIZ]; + + if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL) + return 0; + if (crngt_get_entropy(buf, crngt_prev, NULL)) { + OPENSSL_cleanse(buf, sizeof(buf)); + return 1; + } + rand_crngt_cleanup(); + return 0; +} + +static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT; +DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init) +{ + return OPENSSL_init_crypto(0, NULL) + && rand_crngt_init() + && OPENSSL_atexit(&rand_crngt_cleanup); +} + +int rand_crngt_single_init(void) +{ + return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init); +} + +size_t rand_crngt_get_entropy(RAND_DRBG *drbg, + unsigned char **pout, + int entropy, size_t min_len, size_t max_len, + int prediction_resistance) +{ + unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE]; + unsigned int sz; + RAND_POOL *pool; + size_t q, r = 0, s, t = 0; + int attempts = 3; + + if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init)) + return 0; + + if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL) + return 0; + + while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) { + s = q > sizeof(buf) ? sizeof(buf) : q; + if (!crngt_get_entropy(buf, md, &sz) + || memcmp(crngt_prev, md, sz) == 0 + || !rand_pool_add(pool, buf, s, s * 8)) + goto err; + memcpy(crngt_prev, md, sz); + t += s; + attempts++; + } + r = t; + *pout = rand_pool_detach(pool); +err: + OPENSSL_cleanse(buf, sizeof(buf)); + rand_pool_free(pool); + return r; +} + +void rand_crngt_cleanup_entropy(RAND_DRBG *drbg, + unsigned char *out, size_t outlen) +{ + OPENSSL_secure_clear_free(out, outlen); +} Index: openssl-1.1.1d/crypto/rand/rand_lcl.h =================================================================== --- openssl-1.1.1d.orig/crypto/rand/rand_lcl.h 2019-09-10 15:13:07.000000000 +0200 +++ openssl-1.1.1d/crypto/rand/rand_lcl.h 2020-01-23 13:45:11.384633930 +0100 @@ -33,7 +33,15 @@ # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ - +/* + * The number of bytes that constitutes an atomic lump of entropy with respect + * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat + * arbitrary, the smaller the value, the less entropy is consumed on first + * read but the higher the probability of the test failing by accident. + * + * The value is in bytes. + */ +#define CRNGT_BUFSIZ 16 /* * Maximum input size for the DRBG (entropy, nonce, personalization string) @@ -44,6 +52,8 @@ */ # define DRBG_MAX_LENGTH INT32_MAX +/* The default nonce */ +# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" /* * Maximum allocation size for RANDOM_POOL buffers @@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG * /* initializes the AES-CTR DRBG implementation */ int drbg_ctr_init(RAND_DRBG *drbg); +/* + * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests. + * These need to be exposed for the unit tests. + */ +int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md, + unsigned int *md_size); +extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md, + unsigned int *md_size); +int rand_crngt_init(void); +void rand_crngt_cleanup(void); + +/* + * Expose the run once initialisation function for the unit tests because. + * they need to restart from scratch to validate the first block is skipped + * properly. + */ +int rand_crngt_single_init(void); + #endif Index: openssl-1.1.1d/test/drbgtest.c =================================================================== --- openssl-1.1.1d.orig/test/drbgtest.c 2019-09-10 15:13:07.000000000 +0200 +++ openssl-1.1.1d/test/drbgtest.c 2020-01-23 13:45:11.384633930 +0100 @@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg, return t->noncelen; } + /* + * Disable CRNG testing if it is enabled. + * If the DRBG is ready or in an error state, this means an instantiate cycle + * for which the default personalisation string is used. + */ +static int disable_crngt(RAND_DRBG *drbg) +{ + static const char pers[] = DRBG_DEFAULT_PERS_STRING; + const int instantiate = drbg->state != DRBG_UNINITIALISED; + + if (drbg->get_entropy != rand_crngt_get_entropy) + return 1; + + if ((instantiate && !RAND_DRBG_uninstantiate(drbg)) + || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy, + &rand_drbg_cleanup_entropy, + &rand_drbg_get_nonce, + &rand_drbg_cleanup_nonce)) + || (instantiate + && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers, + sizeof(pers) - 1))) + return 0; + return 1; +} + static int uninstantiate(RAND_DRBG *drbg) { int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg); @@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL))) return 0; if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, - kat_nonce, NULL))) { + kat_nonce, NULL)) + || !TEST_true(disable_crngt(drbg))) { failures++; goto err; } @@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT unsigned int reseed_counter_tmp; int ret = 0; - if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))) + if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)) + || !TEST_true(disable_crngt(drbg))) goto err; /* @@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void) || !TEST_ptr_eq(private->parent, master)) return 0; + /* Disable CRNG testing for the master DRBG */ + if (!TEST_true(disable_crngt(master))) + return 0; + /* uninstantiate the three global DRBGs */ RAND_DRBG_uninstantiate(private); RAND_DRBG_uninstantiate(public); @@ -964,7 +995,8 @@ static int test_rand_seed(void) size_t rand_buflen; size_t required_seed_buflen = 0; - if (!TEST_ptr(master = RAND_DRBG_get0_master())) + if (!TEST_ptr(master = RAND_DRBG_get0_master()) + || !TEST_true(disable_crngt(master))) return 0; #ifdef OPENSSL_RAND_SEED_NONE @@ -1013,6 +1045,95 @@ static int test_rand_add(void) return 1; } +/* + * A list of the FIPS DRGB types. + */ +static const struct s_drgb_types { + int nid; + int flags; +} drgb_types[] = { + { NID_aes_128_ctr, 0 }, + { NID_aes_192_ctr, 0 }, + { NID_aes_256_ctr, 0 }, +}; + +/* Six cases for each covers seed sizes up to 32 bytes */ +static const size_t crngt_num_cases = 6; + +static size_t crngt_case, crngt_idx; + +static int crngt_entropy_cb(unsigned char *buf, unsigned char *md, + unsigned int *md_size) +{ + size_t i, z; + + if (!TEST_int_lt(crngt_idx, crngt_num_cases)) + return 0; + /* Generate a block of unique data unless this is the duplication point */ + z = crngt_idx++; + if (z > 0 && crngt_case == z) + z--; + for (i = 0; i < CRNGT_BUFSIZ; i++) + buf[i] = (unsigned char)(i + 'A' + z); + return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL); +} + +static int test_crngt(int n) +{ + const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases; + RAND_DRBG *drbg = NULL; + unsigned char buff[100]; + size_t ent; + int res = 0; + int expect; + + if (!TEST_true(rand_crngt_single_init())) + return 0; + rand_crngt_cleanup(); + + if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL))) + return 0; + ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ; + crngt_case = n % crngt_num_cases; + crngt_idx = 0; + crngt_get_entropy = &crngt_entropy_cb; + if (!TEST_true(rand_crngt_init())) + goto err; +#ifndef OPENSSL_FIPS + if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy, + &rand_crngt_cleanup_entropy, + &rand_drbg_get_nonce, + &rand_drbg_cleanup_nonce))) + goto err; +#endif + expect = crngt_case == 0 || crngt_case > ent; + if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect)) + goto err; + if (!expect) + goto fin; + if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))) + goto err; + + expect = crngt_case == 0 || crngt_case > 2 * ent; + if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect)) + goto err; + if (!expect) + goto fin; + if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))) + goto err; + +fin: + res = 1; +err: + if (!res) + TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases, + crngt_case, crngt_idx); + uninstantiate(drbg); + RAND_DRBG_free(drbg); + crngt_get_entropy = &rand_crngt_get_entropy_cb; + return res; +} + int setup_tests(void) { app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); @@ -1025,5 +1146,6 @@ int setup_tests(void) #if defined(OPENSSL_THREADS) ADD_TEST(test_multi_thread); #endif + ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types)); return 1; } ++++++ openssl-1.1.1-fips-post-rand.patch ++++++ Index: openssl-1.1.1d/crypto/fips/fips.c =================================================================== --- openssl-1.1.1d.orig/crypto/fips/fips.c 2020-01-23 13:45:11.232633025 +0100 +++ openssl-1.1.1d/crypto/fips/fips.c 2020-01-23 13:45:48.216852822 +0100 @@ -68,6 +68,7 @@ # include <openssl/fips.h> # include "internal/thread_once.h" +# include "internal/rand_int.h" # ifndef PATH_MAX # define PATH_MAX 1024 @@ -76,6 +77,7 @@ static int fips_selftest_fail = 0; static int fips_mode = 0; static int fips_started = 0; +static int fips_post = 0; static int fips_is_owning_thread(void); static int fips_set_owning_thread(void); @@ -158,6 +160,11 @@ void fips_set_selftest_fail(void) fips_selftest_fail = 1; } +int fips_in_post(void) +{ + return fips_post; +} + /* we implement what libfipscheck does ourselves */ static int @@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff) } # endif + fips_post = 1; + if (!FIPS_selftest()) { fips_selftest_fail = 1; ret = 0; @@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff) goto end; } + fips_post = 0; + fips_set_mode(onoff); + /* force RNG reseed with entropy from getrandom() on next call */ + rand_force_reseed(); + ret = 1; goto end; } Index: openssl-1.1.1d/crypto/include/internal/fips_int.h =================================================================== --- openssl-1.1.1d.orig/crypto/include/internal/fips_int.h 2020-01-23 13:45:11.336633643 +0100 +++ openssl-1.1.1d/crypto/include/internal/fips_int.h 2020-01-23 13:45:11.368633835 +0100 @@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void); int FIPS_selftest_drbg(void); int FIPS_selftest_cmac(void); +int fips_in_post(void); + int fips_pkey_signature_test(EVP_PKEY *pkey, const unsigned char *tbs, int tbslen, const unsigned char *kat, Index: openssl-1.1.1d/crypto/include/internal/rand_int.h =================================================================== --- openssl-1.1.1d.orig/crypto/include/internal/rand_int.h 2019-09-10 15:13:07.000000000 +0200 +++ openssl-1.1.1d/crypto/include/internal/rand_int.h 2020-01-23 13:45:53.964886989 +0100 @@ -24,6 +24,7 @@ typedef struct rand_pool_st RAND_POOL; void rand_cleanup_int(void); +void rand_force_reseed(void); void rand_drbg_cleanup_int(void); void drbg_delete_thread_state(void); Index: openssl-1.1.1d/crypto/rand/drbg_lib.c =================================================================== --- openssl-1.1.1d.orig/crypto/rand/drbg_lib.c 2019-09-10 15:13:07.000000000 +0200 +++ openssl-1.1.1d/crypto/rand/drbg_lib.c 2020-01-23 13:45:53.964886989 +0100 @@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg return min_entropy > min_entropylen ? min_entropy : min_entropylen; } +void rand_force_reseed(void) +{ + RAND_DRBG *drbg; + + drbg = RAND_DRBG_get0_master(); + drbg->fork_id = 0; + + drbg = RAND_DRBG_get0_private(); + drbg->fork_id = 0; + + drbg = RAND_DRBG_get0_public(); + drbg->fork_id = 0; +} + /* Implements the default OpenSSL RAND_add() method */ static int drbg_add(const void *buf, int num, double randomness) { Index: openssl-1.1.1d/crypto/rand/rand_unix.c =================================================================== --- openssl-1.1.1d.orig/crypto/rand/rand_unix.c 2019-09-10 15:13:07.000000000 +0200 +++ openssl-1.1.1d/crypto/rand/rand_unix.c 2020-01-23 13:45:11.368633835 +0100 @@ -17,10 +17,12 @@ #include <openssl/crypto.h> #include "rand_lcl.h" #include "internal/rand_int.h" +#include "internal/fips_int.h" #include <stdio.h> #include "internal/dso.h" #ifdef __linux # include <sys/syscall.h> +# include <sys/random.h> # ifdef DEVRANDOM_WAIT # include <sys/shm.h> # include <sys/utsname.h> @@ -295,7 +297,7 @@ static ssize_t sysctl_random(char *buf, * syscall_random(): Try to get random data using a system call * returns the number of bytes returned in buf, or < 0 on error. */ -static ssize_t syscall_random(void *buf, size_t buflen) +static ssize_t syscall_random(void *buf, size_t buflen, int nonblock) { /* * Note: 'buflen' equals the size of the buffer which is used by the @@ -317,6 +319,7 @@ static ssize_t syscall_random(void *buf, * - Linux since 3.17 with glibc 2.25 * - FreeBSD since 12.0 (1200061) */ +# if 0 # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) extern int getentropy(void *buffer, size_t length) __attribute__((weak)); @@ -338,10 +341,10 @@ static ssize_t syscall_random(void *buf, if (p_getentropy.p != NULL) return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; # endif - +# endif /* Linux supports this since version 3.17 */ -# if defined(__linux) && defined(__NR_getrandom) - return syscall(__NR_getrandom, buf, buflen, 0); +# if defined(__linux) && defined(SYS_getrandom) + return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0); # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) return sysctl_random(buf, buflen); # else @@ -576,6 +579,9 @@ size_t rand_pool_acquire_entropy(RAND_PO size_t entropy_available; # if defined(OPENSSL_RAND_SEED_GETRANDOM) + int in_post; + + for (in_post = fips_in_post(); in_post >= 0; --in_post) { { size_t bytes_needed; unsigned char *buffer; @@ -586,7 +592,7 @@ size_t rand_pool_acquire_entropy(RAND_PO bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); - bytes = syscall_random(buffer, bytes_needed); + bytes = syscall_random(buffer, bytes_needed, in_post); if (bytes > 0) { rand_pool_add_end(pool, bytes, 8 * bytes); bytes_needed -= bytes; @@ -621,8 +627,10 @@ size_t rand_pool_acquire_entropy(RAND_PO int attempts = 3; const int fd = get_random_device(i); - if (fd == -1) + if (fd == -1) { + OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]); continue; + } while (bytes_needed != 0 && attempts-- > 0) { buffer = rand_pool_add_begin(pool, bytes_needed); @@ -685,7 +693,9 @@ size_t rand_pool_acquire_entropy(RAND_PO return entropy_available; } # endif - +# ifdef OPENSSL_RAND_SEED_GETRANDOM + } +# endif return rand_pool_entropy_available(pool); # endif } ++++++ openssl-1.1.1-fips.patch ++++++ ++++ 11873 lines (skipped) ++++++ openssl-1.1.1-ssh-kdf.patch ++++++ ++++ 5583 lines (skipped) ++++++ openssl-Fix-9bf682f-which-broke-nistp224_method.patch ++++++ --- /var/tmp/diff_new_pack.W4dEKE/_old 2020-03-20 05:52:32.408048844 +0100 +++ /var/tmp/diff_new_pack.W4dEKE/_new 2020-03-20 05:52:32.408048844 +0100 @@ -14,8 +14,8 @@ Index: openssl-1.1.1d/crypto/ec/ecp_nistp224.c =================================================================== ---- openssl-1.1.1d.orig/crypto/ec/ecp_nistp224.c -+++ openssl-1.1.1d/crypto/ec/ecp_nistp224.c +--- openssl-1.1.1d.orig/crypto/ec/ecp_nistp224.c 2020-01-23 13:45:11.104632265 +0100 ++++ openssl-1.1.1d/crypto/ec/ecp_nistp224.c 2020-01-23 13:45:11.208632883 +0100 @@ -291,10 +291,10 @@ const EC_METHOD *EC_GFp_nistp224_method( ec_key_simple_generate_public_key, 0, /* keycopy */ @@ -30,8 +30,8 @@ 0, /* ladder_pre */ Index: openssl-1.1.1d/crypto/ec/build.info =================================================================== ---- openssl-1.1.1d.orig/crypto/ec/build.info -+++ openssl-1.1.1d/crypto/ec/build.info +--- openssl-1.1.1d.orig/crypto/ec/build.info 2019-09-10 15:13:07.000000000 +0200 ++++ openssl-1.1.1d/crypto/ec/build.info 2020-01-23 13:45:11.208632883 +0100 @@ -20,6 +20,9 @@ GENERATE[ecp_nistz256-avx2.s]=asm/ecp_ni GENERATE[ecp_nistz256-sparcv9.S]=asm/ecp_nistz256-sparcv9.pl $(PERLASM_SCHEME) INCLUDE[ecp_nistz256-sparcv9.o]=.. @@ -44,8 +44,8 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl $(PERLASM_SCHEME) Index: openssl-1.1.1d/include/openssl/ecerr.h =================================================================== ---- openssl-1.1.1d.orig/include/openssl/ecerr.h -+++ openssl-1.1.1d/include/openssl/ecerr.h +--- openssl-1.1.1d.orig/include/openssl/ecerr.h 2020-01-23 13:45:11.108632290 +0100 ++++ openssl-1.1.1d/include/openssl/ecerr.h 2020-01-23 13:45:11.208632883 +0100 @@ -38,6 +38,8 @@ int ERR_load_EC_strings(void); # define EC_F_ECDH_SIMPLE_COMPUTE_KEY 257 # define EC_F_ECDSA_DO_SIGN_EX 251 ++++++ openssl-fips-add-SHA3-selftest.patch ++++++ Index: openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c =================================================================== --- openssl-1.1.1d.orig/crypto/fips/fips_hmac_selftest.c +++ openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c @@ -55,12 +55,23 @@ #include <openssl/hmac.h> #ifdef OPENSSL_FIPS + +#define MAX_SHA3_KEY_LENGTH 200 + typedef struct { const EVP_MD *(*alg) (void); const char *key, *iv; unsigned char kaval[EVP_MAX_MD_SIZE]; } HMAC_KAT; +typedef struct { + const EVP_MD *(*alg) (void); + unsigned char key[MAX_SHA3_KEY_LENGTH]; + size_t keylen; /* strlen() doesn't work with NIST test vector keys */ + const char *iv; + unsigned char kaval[EVP_MAX_MD_SIZE]; +} HMAC_KAT_SHA3; + static const HMAC_KAT vector[] = { {EVP_sha1, /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */ @@ -111,6 +122,289 @@ static const HMAC_KAT vector[] = { }, }; +static const HMAC_KAT_SHA3 vector_SHA3[] = { + /* using SHA3-224 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-224.pdf */ + {EVP_sha3_224, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b}, + 0x1c, + "Sample message for keylen<blocklen", + {0x33, 0x2c, 0xfd, 0x59, 0x34, 0x7f, 0xdb, 0x8e, + 0x57, 0x6e, 0x77, 0x26, 0x0b, 0xe4, 0xab, 0xa2, + 0xd6, 0xdc, 0x53, 0x11, 0x7b, 0x3b, 0xfb, 0x52, + 0xc6, 0xd1, 0x8c, 0x04} + }, + {EVP_sha3_224, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, + 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, + 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, + 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, + 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, + 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, + 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f}, + 0x90, + "Sample message for keylen=blocklen", + {0xd8, 0xb7, 0x33, 0xbc, 0xf6, 0x6c, 0x64, 0x4a, + 0x12, 0x32, 0x3d, 0x56, 0x4e, 0x24, 0xdc, 0xf3, + 0xfc, 0x75, 0xf2, 0x31, 0xf3, 0xb6, 0x79, 0x68, + 0x35, 0x91, 0x00, 0xc7} + }, + {EVP_sha3_224, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, + 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, + 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, + 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, + 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, + 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, + 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, + 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, + 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, + 0xa8, 0xa9, 0xaa, 0xab}, + 0xac, + "Sample message for keylen>blocklen", + {0x07, 0x86, 0x95, 0xee, 0xcc, 0x22, 0x7c, 0x63, + 0x6a, 0xd3, 0x1d, 0x06, 0x3a, 0x15, 0xdd, 0x05, + 0xa7, 0xe8, 0x19, 0xa6, 0x6e, 0xc6, 0xd8, 0xde, + 0x1e, 0x19, 0x3e, 0x59}, + }, + /* using SHA3-256 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-256.pdf */ + {EVP_sha3_256, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f}, + 0x30, + "Sample message for keylen<blocklen", + {0x4f, 0xe8, 0xe2, 0x02, 0xc4, 0xf0, 0x58, 0xe8, + 0xdd, 0xdc, 0x23, 0xd8, 0xc3, 0x4e, 0x46, 0x73, + 0x43, 0xe2, 0x35, 0x55, 0xe2, 0x4f, 0xc2, 0xf0, + 0x25, 0xd5, 0x98, 0xf5, 0x58, 0xf6, 0x72, 0x05} + }, + {EVP_sha3_256, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, + 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, + 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, + 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, + 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, + 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87}, + 0x88, + "Sample message for keylen=blocklen", + {0x68, 0xb9, 0x4e, 0x2e, 0x53, 0x8a, 0x9b, 0xe4, + 0x10, 0x3b, 0xeb, 0xb5, 0xaa, 0x01, 0x6d, 0x47, + 0x96, 0x1d, 0x4d, 0x1a, 0xa9, 0x06, 0x06, 0x13, + 0x13, 0xb5, 0x57, 0xf8, 0xaf, 0x2c, 0x3f, 0xaa}, + }, + {EVP_sha3_256, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, + 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, + 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, + 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, + 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, + 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, + 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, + 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, + 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7}, + 0xa8, + "Sample message for keylen>blocklen", + {0x9b, 0xcf, 0x2c, 0x23, 0x8e, 0x23, 0x5c, 0x3c, + 0xe8, 0x84, 0x04, 0xe8, 0x13, 0xbd, 0x2f, 0x3a, + 0x97, 0x18, 0x5a, 0xc6, 0xf2, 0x38, 0xc6, 0x3d, + 0x62, 0x29, 0xa0, 0x0b, 0x07, 0x97, 0x42, 0x58}, + }, + /* using SHA3-384 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-384.pdf */ + {EVP_sha3_384, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f}, + 0x30, + "Sample message for keylen<blocklen", + {0xd5, 0x88, 0xa3, 0xc5, 0x1f, 0x3f, 0x2d, 0x90, + 0x6e, 0x82, 0x98, 0xc1, 0x19, 0x9a, 0xa8, 0xff, + 0x62, 0x96, 0x21, 0x81, 0x27, 0xf6, 0xb3, 0x8a, + 0x90, 0xb6, 0xaf, 0xe2, 0xc5, 0x61, 0x77, 0x25, + 0xbc, 0x99, 0x98, 0x7f, 0x79, 0xb2, 0x2a, 0x55, + 0x7b, 0x65, 0x20, 0xdb, 0x71, 0x0b, 0x7f, 0x42} + }, + {EVP_sha3_384, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, + 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, + 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67}, + 0x68, + "Sample message for keylen=blocklen", + {0xa2, 0x7d, 0x24, 0xb5, 0x92, 0xe8, 0xc8, 0xcb, + 0xf6, 0xd4, 0xce, 0x6f, 0xc5, 0xbf, 0x62, 0xd8, + 0xfc, 0x98, 0xbf, 0x2d, 0x48, 0x66, 0x40, 0xd9, + 0xeb, 0x80, 0x99, 0xe2, 0x40, 0x47, 0x83, 0x7f, + 0x5f, 0x3b, 0xff, 0xbe, 0x92, 0xdc, 0xce, 0x90, + 0xb4, 0xed, 0x5b, 0x1e, 0x7e, 0x44, 0xfa, 0x90}, + }, + {EVP_sha3_384, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, + 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, + 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, + 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, + 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, + 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, + 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, + 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97}, + 0x98, + "Sample message for keylen>blocklen", + {0xe5, 0xae, 0x4c, 0x73, 0x9f, 0x45, 0x52, 0x79, + 0x36, 0x8e, 0xbf, 0x36, 0xd4, 0xf5, 0x35, 0x4c, + 0x95, 0xaa, 0x18, 0x4c, 0x89, 0x9d, 0x38, 0x70, + 0xe4, 0x60, 0xeb, 0xc2, 0x88, 0xef, 0x1f, 0x94, + 0x70, 0x05, 0x3f, 0x73, 0xf7, 0xc6, 0xda, 0x2a, + 0x71, 0xbc, 0xae, 0xc3, 0x8c, 0xe7, 0xd6, 0xac}, + }, + + + + /* using SHA3-512 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-512.pdf */ + {EVP_sha3_512, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f}, + 0x40, + "Sample message for keylen<blocklen", + {0x4e, 0xfd, 0x62, 0x9d, 0x6c, 0x71, 0xbf, 0x86, + 0x16, 0x26, 0x58, 0xf2, 0x99, 0x43, 0xb1, 0xc3, + 0x08, 0xce, 0x27, 0xcd, 0xfa, 0x6d, 0xb0, 0xd9, + 0xc3, 0xce, 0x81, 0x76, 0x3f, 0x9c, 0xbc, 0xe5, + 0xf7, 0xeb, 0xe9, 0x86, 0x80, 0x31, 0xdb, 0x1a, + 0x8f, 0x8e, 0xb7, 0xb6, 0xb9, 0x5e, 0x5c, 0x5e, + 0x3f, 0x65, 0x7a, 0x89, 0x96, 0xc8, 0x6a, 0x2f, + 0x65, 0x27, 0xe3, 0x07, 0xf0, 0x21, 0x31, 0x96} + }, + {EVP_sha3_512, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47}, + 0x48, + "Sample message for keylen=blocklen", + {0x54, 0x4e, 0x25, 0x7e, 0xa2, 0xa3, 0xe5, 0xea, + 0x19, 0xa5, 0x90, 0xe6, 0xa2, 0x4b, 0x72, 0x4c, + 0xe6, 0x32, 0x77, 0x57, 0x72, 0x3f, 0xe2, 0x75, + 0x1b, 0x75, 0xbf, 0x00, 0x7d, 0x80, 0xf6, 0xb3, + 0x60, 0x74, 0x4b, 0xf1, 0xb7, 0xa8, 0x8e, 0xa5, + 0x85, 0xf9, 0x76, 0x5b, 0x47, 0x91, 0x19, 0x76, + 0xd3, 0x19, 0x1c, 0xf8, 0x3c, 0x03, 0x9f, 0x5f, + 0xfa, 0xb0, 0xd2, 0x9c, 0xc9, 0xd9, 0xb6, 0xda}, + }, + {EVP_sha3_512, + {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, + 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, + 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, + 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, + 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, + 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, + 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, + 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87}, + 0x88, + "Sample message for keylen>blocklen", + {0x5f, 0x46, 0x4f, 0x5e, 0x5b, 0x78, 0x48, 0xe3, + 0x88, 0x5e, 0x49, 0xb2, 0xc3, 0x85, 0xf0, 0x69, + 0x49, 0x85, 0xd0, 0xe3, 0x89, 0x66, 0x24, 0x2d, + 0xc4, 0xa5, 0xfe, 0x3f, 0xea, 0x4b, 0x37, 0xd4, + 0x6b, 0x65, 0xce, 0xce, 0xd5, 0xdc, 0xf5, 0x94, + 0x38, 0xdd, 0x84, 0x0b, 0xab, 0x22, 0x26, 0x9f, + 0x0b, 0xa7, 0xfe, 0xbd, 0xb9, 0xfc, 0xf7, 0x46, + 0x02, 0xa3, 0x56, 0x66, 0xb2, 0xa3, 0x29, 0x15}, + }, +}; + + int FIPS_selftest_hmac() { int n; @@ -118,7 +412,9 @@ int FIPS_selftest_hmac() unsigned char out[EVP_MAX_MD_SIZE]; const EVP_MD *md; const HMAC_KAT *t; + const HMAC_KAT_SHA3 *t3; + /* SHA1 and SHA2 */ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { md = (*t->alg) (); HMAC(md, t->key, strlen(t->key), @@ -128,6 +424,18 @@ int FIPS_selftest_hmac() FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED); return 0; } + } + + /* SHA3 */ + for (n = 0, t3 = vector_SHA3; n < sizeof(vector_SHA3) / sizeof(vector_SHA3[0]); n++, t3++) { + md = (*t3->alg) (); + HMAC(md, t3->key, t3->keylen, + (const unsigned char *)t3->iv, strlen(t3->iv), out, &outlen); + + if (memcmp(out, t3->kaval, outlen)) { + FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED); + return 0; + } } return 1; } ++++++ openssl-fips-clearerror.patch ++++++ Index: openssl-1.1.1d/crypto/o_init.c =================================================================== --- openssl-1.1.1d.orig/crypto/o_init.c 2020-01-23 13:45:11.556634952 +0100 +++ openssl-1.1.1d/crypto/o_init.c 2020-01-23 13:45:11.572635047 +0100 @@ -49,6 +49,7 @@ static void init_fips_mode(void) NONFIPS_selftest_check(); /* drop down to non-FIPS mode if it is not requested */ FIPS_mode_set(0); + ERR_clear_error(); } else { /* abort if selftest failed */ FIPS_selftest_check(); ++++++ openssl-fips-dont_run_FIPS_module_installed.patch ++++++ Index: openssl-1.1.1d/crypto/o_init.c =================================================================== --- openssl-1.1.1d.orig/crypto/o_init.c 2020-01-23 13:45:11.336633643 +0100 +++ openssl-1.1.1d/crypto/o_init.c 2020-01-23 13:45:21.316692954 +0100 @@ -63,9 +63,6 @@ void __attribute__ ((constructor)) OPENS if (done) return; done = 1; - if (!FIPS_module_installed()) { - return; - } init_fips_mode(); } #endif ++++++ openssl-fips-ignore_broken_atexit_test.patch ++++++ Index: openssl-1.1.1d/test/recipes/90-test_shlibload.t =================================================================== --- openssl-1.1.1d.orig/test/recipes/90-test_shlibload.t 2019-09-10 15:13:07.000000000 +0200 +++ openssl-1.1.1d/test/recipes/90-test_shlibload.t 2020-01-23 15:22:27.355814857 +0100 @@ -23,7 +23,7 @@ plan skip_all => "Test is disabled on AI plan skip_all => "Test is disabled on VMS" if config('target') =~ m|^vms|; plan skip_all => "Test only supported in a dso build" if disabled("dso"); -plan tests => 10; +plan tests => 9; # When libssl and libcrypto are compiled on Linux with "-rpath", but not # "--enable-new-dtags", the RPATH takes precedence over LD_LIBRARY_PATH, @@ -56,7 +56,7 @@ unlink $filename; ($fh, $filename) = tempfile(); ok(run(test(["shlibloadtest", "-no_atexit", $libcrypto, $libssl, $filename])), "running shlibloadtest -no_atexit $filename"); -ok(!check_atexit($fh)); +#ok(!check_atexit($fh)); unlink $filename; sub shlib { ++++++ openssl-fips-run_selftests_only_when_module_is_complete.patch ++++++ Index: openssl-1.1.1d/crypto/fips/fips.c =================================================================== --- openssl-1.1.1d.orig/crypto/fips/fips.c 2020-01-23 13:45:11.368633835 +0100 +++ openssl-1.1.1d/crypto/fips/fips.c 2020-01-23 13:45:21.316692954 +0100 @@ -454,15 +454,15 @@ int FIPS_module_mode_set(int onoff) fips_post = 1; - if (!FIPS_selftest()) { + if (!verify_checksums()) { + FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, + FIPS_R_FINGERPRINT_DOES_NOT_MATCH); fips_selftest_fail = 1; ret = 0; goto end; } - if (!verify_checksums()) { - FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, - FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + if (!FIPS_selftest()) { fips_selftest_fail = 1; ret = 0; goto end; ++++++ openssl-fips-selftests_in_nonfips_mode.patch ++++++ Index: openssl-1.1.1d/crypto/fips/fips.c =================================================================== --- openssl-1.1.1d.orig/crypto/fips/fips.c 2020-01-23 13:45:11.416634119 +0100 +++ openssl-1.1.1d/crypto/fips/fips.c 2020-01-23 13:45:11.556634952 +0100 @@ -486,6 +486,44 @@ int FIPS_module_mode_set(int onoff) return ret; } +/* In non-FIPS mode, the selftests must succeed if the + * checksum files are present + */ +void NONFIPS_selftest_check(void) +{ + int rv; + char *hmacpath; + char path[PATH_MAX+1]; + + if (fips_selftest_fail) + { + /* check if the checksum files are installed */ + rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path)); + if (rv < 0) + OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); + + hmacpath = make_hmac_path(path); + if (hmacpath == NULL) + OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); + + if (access(hmacpath, F_OK)) + { + /* no hmac file is present, ignore the failed selftests */ + if (errno == ENOENT) + { + free(hmacpath); + return; + } + /* we fail on any other error */ + } + /* if the file exists, but the selftests failed + (eg wrong checksum), we fail too */ + free(hmacpath); + OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE"); + } + /* otherwise ok, selftests were successful */ +} + static CRYPTO_THREAD_ID fips_threadid; static int fips_thread_set = 0; Index: openssl-1.1.1d/crypto/o_init.c =================================================================== --- openssl-1.1.1d.orig/crypto/o_init.c 2020-01-23 13:45:11.536634832 +0100 +++ openssl-1.1.1d/crypto/o_init.c 2020-01-23 13:45:17.000667299 +0100 @@ -45,6 +45,8 @@ static void init_fips_mode(void) */ if (buf[0] != '1') { + /* abort if selftest failed and the module is complete */ + NONFIPS_selftest_check(); /* drop down to non-FIPS mode if it is not requested */ FIPS_mode_set(0); } else { Index: openssl-1.1.1d/include/openssl/fips.h =================================================================== --- openssl-1.1.1d.orig/include/openssl/fips.h 2020-01-23 13:45:11.344633691 +0100 +++ openssl-1.1.1d/include/openssl/fips.h 2020-01-23 13:45:11.556634952 +0100 @@ -65,6 +65,7 @@ extern "C" { int FIPS_selftest(void); int FIPS_selftest_failed(void); int FIPS_selftest_drbg_all(void); + void NONFIPS_selftest_check(void); int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, const EVP_MD *evpmd, const unsigned char *seed_in, ++++++ openssl-fips_fix_selftests_return_value.patch ++++++ Index: openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c =================================================================== --- openssl-1.1.1d.orig/crypto/fips/fips_dsa_selftest.c 2020-02-17 10:40:18.006796026 +0100 +++ openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c 2020-02-17 10:40:18.946801354 +0100 @@ -150,7 +150,7 @@ int FIPS_selftest_dsa() { DSA *dsa = NULL; EVP_PKEY *pk = NULL; - int ret = -1; + int ret = 0; BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; fips_load_key_component(p, dsa_test_2048); Index: openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c =================================================================== --- openssl-1.1.1d.orig/crypto/fips/fips_ecdh_selftest.c 2020-02-17 10:40:18.006796026 +0100 +++ openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c 2020-02-17 10:40:18.950801378 +0100 @@ -221,6 +221,9 @@ int FIPS_selftest_ecdh(void) } err: + if (rv == -1) { + rv = 0; + } if (x) BN_clear_free(x); ++++++ openssl-fips_mode.patch ++++++ Index: openssl-1.1.1d/apps/openssl.c =================================================================== --- openssl-1.1.1d.orig/apps/openssl.c 2019-09-10 15:13:07.000000000 +0200 +++ openssl-1.1.1d/apps/openssl.c 2020-01-23 13:45:11.452634334 +0100 @@ -151,8 +151,15 @@ int main(int argc, char *argv[]) CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); if (getenv("OPENSSL_FIPS")) { +#ifdef OPENSSL_FIPS + if (!FIPS_mode_set(1)) { + ERR_print_errors(bio_err); + return 1; + } +#else BIO_printf(bio_err, "FIPS mode not supported.\n"); return 1; +#endif } if (!apps_startup()) { ++++++ openssl-fips_selftest_upstream_drbg.patch ++++++ ++++ 1837 lines (skipped) ++++++ openssl-keep_EVP_KDF_functions_version.patch ++++++ Index: openssl-1.1.1d/util/libcrypto.num =================================================================== --- openssl-1.1.1d.orig/util/libcrypto.num 2020-01-27 12:07:26.467151662 +0100 +++ openssl-1.1.1d/util/libcrypto.num 2020-01-27 13:18:44.456778054 +0100 @@ -4617,11 +4617,11 @@ FIPS_drbg_get_strength FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: -EVP_KDF_CTX_new_id 6590 1_1_1b EXIST::FUNCTION: -EVP_KDF_CTX_free 6591 1_1_1b EXIST::FUNCTION: -EVP_KDF_reset 6592 1_1_1b EXIST::FUNCTION: -EVP_KDF_ctrl 6593 1_1_1b EXIST::FUNCTION: -EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION: -EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: -EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: -EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: +EVP_KDF_CTX_new_id 6590 1_1_1d EXIST::FUNCTION: +EVP_KDF_CTX_free 6591 1_1_1d EXIST::FUNCTION: +EVP_KDF_reset 6592 1_1_1d EXIST::FUNCTION: +EVP_KDF_ctrl 6593 1_1_1d EXIST::FUNCTION: +EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION: +EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION: +EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION: +EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION: ++++++ openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch ++++++ ++++ 1467 lines (skipped) ++++++ openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch ++++++ --- /var/tmp/diff_new_pack.W4dEKE/_old 2020-03-20 05:52:32.468048884 +0100 +++ /var/tmp/diff_new_pack.W4dEKE/_new 2020-03-20 05:52:32.468048884 +0100 @@ -11,11 +11,11 @@ crypto/s390xcpuid.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/crypto/s390xcpuid.pl b/crypto/s390xcpuid.pl -index 36f742068b..4906e0366a 100755 ---- a/crypto/s390xcpuid.pl -+++ b/crypto/s390xcpuid.pl -@@ -109,7 +109,7 @@ OPENSSL_s390x_functions: +Index: openssl-1.1.1d/crypto/s390xcpuid.pl +=================================================================== +--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl 2020-01-23 13:45:11.064632028 +0100 ++++ openssl-1.1.1d/crypto/s390xcpuid.pl 2020-01-23 13:45:11.188632764 +0100 +@@ -107,7 +107,7 @@ OPENSSL_s390x_functions: la %r1,S390X_KMAC(%r4) .long 0xb91e0042 # kmac %r4,%r2 @@ -24,6 +24,3 @@ jz .Lret lghi %r0,S390X_QUERY # query pcc capability vector --- -2.24.0 - ++++++ openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch ++++++ Index: openssl-1.1.1d/crypto/ec/ecx_meth.c =================================================================== --- openssl-1.1.1d.orig/crypto/ec/ecx_meth.c 2020-02-26 14:33:10.766715365 +0100 +++ openssl-1.1.1d/crypto/ec/ecx_meth.c 2020-02-26 14:33:10.786715482 +0100 @@ -842,6 +842,7 @@ static const EVP_PKEY_METHOD ed448_pkey_ #ifdef S390X_EC_ASM # include "s390x_arch.h" +# include "internal/constant_time_locl.h" static void s390x_x25519_mod_p(unsigned char u[32]) { @@ -855,16 +856,16 @@ static void s390x_x25519_mod_p(unsigned u_red[31] = (unsigned char)c; c >>= 8; - for (i = 30; c > 0 && i >= 0; i--) { + for (i = 30; i >= 0; i--) { c += (unsigned int)u_red[i]; u_red[i] = (unsigned char)c; c >>= 8; } - if (u_red[0] & 0x80) { - u_red[0] &= 0x7f; - memcpy(u, u_red, sizeof(u_red)); - } + c = (u_red[0] & 0x80) >> 7; + u_red[0] &= 0x7f; + constant_time_cond_swap_buff(0 - (unsigned char)c, + u, u_red, sizeof(u_red)); } static void s390x_x448_mod_p(unsigned char u[56]) @@ -889,16 +890,14 @@ static void s390x_x448_mod_p(unsigned ch u_red[27] = (unsigned char)c; c >>= 8; - for (i = 26; c > 0 && i >= 0; i--) { + for (i = 26; i >= 0; i--) { c += (unsigned int)u_red[i]; u_red[i] = (unsigned char)c; c >>= 8; } - if (u_red[0] & 0x80) { - u_red[0] &= 0x7f; - memcpy(u, u_red, sizeof(u_red)); - } + constant_time_cond_swap_buff(0 - (unsigned char)c, + u, u_red, sizeof(u_red)); } static int s390x_x25519_mul(unsigned char u_dst[32], @@ -954,7 +953,7 @@ static int s390x_x448_mul(unsigned char memcpy(param.x448.d_src, d_src, 56); s390x_flip_endian64(param.x448.u_src, param.x448.u_src); - s390x_x448_mod_p(param.x448.u_src); + s390x_x448_mod_p(param.x448.u_src + 8); s390x_flip_endian64(param.x448.d_src, param.x448.d_src); param.x448.d_src[63] &= 252; Index: openssl-1.1.1d/include/internal/constant_time_locl.h =================================================================== --- openssl-1.1.1d.orig/include/internal/constant_time_locl.h 2019-09-10 15:13:07.000000000 +0200 +++ openssl-1.1.1d/include/internal/constant_time_locl.h 2020-02-26 14:33:10.786715482 +0100 @@ -353,6 +353,34 @@ static ossl_inline void constant_time_co } /* + * mask must be 0xFF or 0x00. + * "constant time" is per len. + * + * if (mask) { + * unsigned char tmp[len]; + * + * memcpy(tmp, a, len); + * memcpy(a, b); + * memcpy(b, tmp); + * } + */ +static ossl_inline void constant_time_cond_swap_buff(unsigned char mask, + unsigned char *a, + unsigned char *b, + size_t len) +{ + size_t i; + unsigned char tmp; + + for (i = 0; i < len; i++) { + tmp = a[i] ^ b[i]; + tmp &= mask; + a[i] ^= tmp; + b[i] ^= tmp; + } +} + +/* * table is a two dimensional array of bytes. Each row has rowsize elements. * Copies row number idx into out. rowsize and numrows are not considered * private. Index: openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey.txt =================================================================== --- openssl-1.1.1d.orig/test/recipes/30-test_evp_data/evppkey.txt 2019-09-10 15:13:07.000000000 +0200 +++ openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey.txt 2020-02-26 14:33:10.790715505 +0100 @@ -814,6 +814,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw +PublicKeyRaw=Bob-448-PUBLIC-Raw-NonCanonical:X448:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff + Derive=Alice-448 PeerKey=Bob-448-PUBLIC SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d @@ -830,6 +832,11 @@ Derive=Bob-448-Raw PeerKey=Alice-448-PUBLIC-Raw SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d +# Self-generated non-canonical +Derive=Alice-448-Raw +PeerKey=Bob-448-PUBLIC-Raw-NonCanonical +SharedSecret=66e2e682b1f8e68c809f1bb3e406bd826921d9c1a5bfbfcbab7ae72feecee63660eabd54934f3382061d17607f581a90bdac917a064959fb + # Illegal sign/verify operations with X448 key Sign=Alice-448 ++++++ openssl-ship_fips_standalone_hmac.patch ++++++ Index: openssl-1.1.1d/crypto/fips/build.info =================================================================== --- openssl-1.1.1d.orig/crypto/fips/build.info 2020-01-23 13:45:11.232633025 +0100 +++ openssl-1.1.1d/crypto/fips/build.info 2020-01-23 13:45:11.432634214 +0100 @@ -7,7 +7,7 @@ SOURCE[../../libcrypto]=\ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ fips_dh_selftest.c fips_ers.c -PROGRAMS_NO_INST=\ +PROGRAMS=\ fips_standalone_hmac SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c
