From 9f6ef3557f740b47e5aba1df1374e8b5071c0b2b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 14 2020 01:44:21 +0000 Subject: import openssl-1.1.1g-9.el8 --- diff --git a/SOURCES/openssl-1.1.1-alpn-cb.patch b/SOURCES/openssl-1.1.1-alpn-cb.patch new file mode 100644 index 0000000..465f7b8 --- /dev/null +++ b/SOURCES/openssl-1.1.1-alpn-cb.patch @@ -0,0 +1,27 @@ +commit 9e885a707d604e9528b5491b78fb9c00f41193fc +Author: Tomas Mraz +Date: Thu Mar 26 15:59:00 2020 +0100 + + s_server: Properly indicate ALPN protocol mismatch + + Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that + an alert is sent to the client on ALPN protocol mismatch. + + Fixes: #2708 + + Reviewed-by: Matt Caswell + (Merged from https://github.com/openssl/openssl/pull/11415) + +diff --git a/apps/s_server.c b/apps/s_server.c +index bcc83e562c..591c6c19c5 100644 +--- a/apps/s_server.c ++++ b/apps/s_server.c +@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, + if (SSL_select_next_proto + ((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in, + inlen) != OPENSSL_NPN_NEGOTIATED) { +- return SSL_TLSEXT_ERR_NOACK; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; + } + + if (!s_quiet) { diff --git a/SOURCES/openssl-1.1.1-fips-dh.patch b/SOURCES/openssl-1.1.1-fips-dh.patch index 946e249..9e15289 100644 --- a/SOURCES/openssl-1.1.1-fips-dh.patch +++ b/SOURCES/openssl-1.1.1-fips-dh.patch @@ -1,6 +1,6 @@ diff -up openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh openssl-1.1.1g/crypto/bn/bn_const.c --- openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/crypto/bn/bn_const.c 2020-05-25 18:41:00.478262334 +0200 ++++ openssl-1.1.1g/crypto/bn/bn_const.c 2020-06-05 17:31:28.044776018 +0200 @@ -1,13 +1,17 @@ /* - * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. @@ -479,7 +479,7 @@ diff -up openssl-1.1.1g/crypto/bn/bn_const.c.fips-dh openssl-1.1.1g/crypto/bn/bn } diff -up openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1g/crypto/bn/bn_dh.c --- openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/crypto/bn/bn_dh.c 2020-05-25 18:41:00.480262350 +0200 ++++ openssl-1.1.1g/crypto/bn/bn_dh.c 2020-06-05 17:31:28.044776018 +0200 @@ -1,7 +1,7 @@ /* - * Copyright 2014-2017 The OpenSSL Project Authors. All Rights Reserved. @@ -1958,7 +1958,7 @@ diff -up openssl-1.1.1g/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1g/crypto/bn/bn_dh +#endif /* OPENSSL_NO_DH */ diff -up openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh openssl-1.1.1g/crypto/dh/dh_check.c --- openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/crypto/dh/dh_check.c 2020-05-25 18:41:00.481262359 +0200 ++++ openssl-1.1.1g/crypto/dh/dh_check.c 2020-06-05 17:31:28.045776027 +0200 @@ -10,6 +10,7 @@ #include #include "internal/cryptlib.h" @@ -1999,8 +1999,8 @@ diff -up openssl-1.1.1g/crypto/dh/dh_check.c.fips-dh openssl-1.1.1g/crypto/dh/dh if (ctx == NULL) goto err; diff -up openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1g/crypto/dh/dh_gen.c ---- openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh 2020-05-25 18:41:00.255260458 +0200 -+++ openssl-1.1.1g/crypto/dh/dh_gen.c 2020-05-25 18:41:00.481262359 +0200 +--- openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh 2020-06-05 17:31:27.977775462 +0200 ++++ openssl-1.1.1g/crypto/dh/dh_gen.c 2020-06-05 17:31:28.045776027 +0200 @@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i BN_GENCB *cb) { @@ -2031,8 +2031,8 @@ diff -up openssl-1.1.1g/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1g/crypto/dh/dh_g if (ctx == NULL) goto err; diff -up openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh openssl-1.1.1g/crypto/dh/dh_key.c ---- openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh 2020-05-25 18:41:00.255260458 +0200 -+++ openssl-1.1.1g/crypto/dh/dh_key.c 2020-05-25 18:41:00.482262367 +0200 +--- openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh 2020-06-05 17:31:27.977775462 +0200 ++++ openssl-1.1.1g/crypto/dh/dh_key.c 2020-06-05 17:31:28.045776027 +0200 @@ -100,10 +100,18 @@ static int generate_key(DH *dh) BIGNUM *pub_key = NULL, *priv_key = NULL; @@ -2075,8 +2075,16 @@ diff -up openssl-1.1.1g/crypto/dh/dh_key.c.fips-dh openssl-1.1.1g/crypto/dh/dh_k goto err; diff -up openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1g/crypto/dh/dh_lib.c --- openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/crypto/dh/dh_lib.c 2020-05-25 18:41:00.482262367 +0200 -@@ -86,6 +86,8 @@ DH *DH_new_method(ENGINE *engine) ++++ openssl-1.1.1g/crypto/dh/dh_lib.c 2020-06-18 14:13:33.546892717 +0200 +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include "internal/cryptlib.h" + #include "internal/refcount.h" + #include +@@ -86,6 +87,8 @@ DH *DH_new_method(ENGINE *engine) goto err; } @@ -2085,7 +2093,7 @@ diff -up openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1g/crypto/dh/dh_l return ret; err: -@@ -205,7 +207,9 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU +@@ -205,7 +208,9 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU dh->g = g; } @@ -2097,8 +2105,8 @@ diff -up openssl-1.1.1g/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1g/crypto/dh/dh_l } diff -up openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh openssl-1.1.1g/crypto/dh/dh_local.h ---- openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh 2020-05-25 18:40:59.396253234 +0200 -+++ openssl-1.1.1g/crypto/dh/dh_local.h 2020-05-25 18:41:00.482262367 +0200 +--- openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh 2020-06-05 17:31:27.763773685 +0200 ++++ openssl-1.1.1g/crypto/dh/dh_local.h 2020-06-05 17:31:28.045776027 +0200 @@ -35,6 +35,7 @@ struct dh_st { const DH_METHOD *meth; ENGINE *engine; @@ -2115,7 +2123,7 @@ diff -up openssl-1.1.1g/crypto/dh/dh_local.h.fips-dh openssl-1.1.1g/crypto/dh/dh +void dh_cache_nid(DH *dh); diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/dh_rfc7919.c --- openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/crypto/dh/dh_rfc7919.c 2020-05-27 10:05:05.828687005 +0200 ++++ openssl-1.1.1g/crypto/dh/dh_rfc7919.c 2020-06-05 17:31:28.045776027 +0200 @@ -7,6 +7,8 @@ * https://www.openssl.org/source/license.html */ @@ -2171,12 +2179,12 @@ diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/ + case NID_modp_4096: + return dh_param_init(nid, &_bignum_modp_4096_p, &_bignum_modp_4096_q, 325); + case NID_modp_6144: -+ return dh_param_init(nid, &_bignum_modp_6144_p, &_bignum_modp_6144_p, 375); ++ return dh_param_init(nid, &_bignum_modp_6144_p, &_bignum_modp_6144_q, 375); + case NID_modp_8192: -+ return dh_param_init(nid, &_bignum_modp_8192_p, &_bignum_modp_8192_p, 400); ++ return dh_param_init(nid, &_bignum_modp_8192_p, &_bignum_modp_8192_q, 400); + case NID_modp_1536: + if (!FIPS_mode()) -+ return dh_param_init(nid, &_bignum_modp_1536_p, &_bignum_modp_1536_p, 175); ++ return dh_param_init(nid, &_bignum_modp_1536_p, &_bignum_modp_1536_q, 175); + /* fallthrough */ default: DHerr(DH_F_DH_NEW_BY_NID, DH_R_INVALID_PARAMETER_NID); @@ -2281,7 +2289,7 @@ diff -up openssl-1.1.1g/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1g/crypto/dh/ +} diff -up openssl-1.1.1g/crypto/evp/p_lib.c.fips-dh openssl-1.1.1g/crypto/evp/p_lib.c --- openssl-1.1.1g/crypto/evp/p_lib.c.fips-dh 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/crypto/evp/p_lib.c 2020-05-26 14:51:33.604162226 +0200 ++++ openssl-1.1.1g/crypto/evp/p_lib.c 2020-06-05 17:31:28.045776027 +0200 @@ -540,7 +540,8 @@ EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *p int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) @@ -2293,8 +2301,8 @@ diff -up openssl-1.1.1g/crypto/evp/p_lib.c.fips-dh openssl-1.1.1g/crypto/evp/p_l if (ret) diff -up openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1g/crypto/objects/obj_dat.h ---- openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh 2020-05-25 18:41:00.452262115 +0200 -+++ openssl-1.1.1g/crypto/objects/obj_dat.h 2020-05-25 18:41:00.485262392 +0200 +--- openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh 2020-06-05 17:31:28.036775952 +0200 ++++ openssl-1.1.1g/crypto/objects/obj_dat.h 2020-06-05 17:31:28.046776035 +0200 @@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ }; @@ -2357,8 +2365,8 @@ diff -up openssl-1.1.1g/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1g/crypto/o 173, /* "name" */ 681, /* "onBasis" */ diff -up openssl-1.1.1g/crypto/objects/objects.txt.fips-dh openssl-1.1.1g/crypto/objects/objects.txt ---- openssl-1.1.1g/crypto/objects/objects.txt.fips-dh 2020-05-25 18:41:00.453262123 +0200 -+++ openssl-1.1.1g/crypto/objects/objects.txt 2020-05-25 18:41:00.486262401 +0200 +--- openssl-1.1.1g/crypto/objects/objects.txt.fips-dh 2020-06-05 17:31:28.037775960 +0200 ++++ openssl-1.1.1g/crypto/objects/objects.txt 2020-06-05 17:31:28.046776035 +0200 @@ -1657,6 +1657,13 @@ id-pkinit 5 : pkInit : ffdhe4096 : ffdhe6144 @@ -2374,8 +2382,8 @@ diff -up openssl-1.1.1g/crypto/objects/objects.txt.fips-dh openssl-1.1.1g/crypto # OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17) diff -up openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1g/crypto/objects/obj_mac.num ---- openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh 2020-05-25 18:41:00.453262123 +0200 -+++ openssl-1.1.1g/crypto/objects/obj_mac.num 2020-05-25 18:41:00.486262401 +0200 +--- openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh 2020-06-05 17:31:28.037775960 +0200 ++++ openssl-1.1.1g/crypto/objects/obj_mac.num 2020-06-05 17:31:28.046776035 +0200 @@ -1196,3 +1196,9 @@ sshkdf 1195 kbkdf 1196 krb5kdf 1197 @@ -2388,7 +2396,7 @@ diff -up openssl-1.1.1g/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1g/crypto +modp_8192 1204 diff -up openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1g/doc/man3/DH_new_by_nid.pod --- openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/doc/man3/DH_new_by_nid.pod 2020-05-25 18:41:00.487262409 +0200 ++++ openssl-1.1.1g/doc/man3/DH_new_by_nid.pod 2020-06-05 17:31:28.046776035 +0200 @@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find #include @@ -2409,7 +2417,7 @@ diff -up openssl-1.1.1g/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1g/doc/ma any named set. It returns the NID corresponding to the matching parameters or diff -up openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod --- openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod 2020-05-25 18:41:00.487262409 +0200 ++++ openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod 2020-06-05 17:31:28.046776035 +0200 @@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets If B is zero (the default) then no padding is performed. @@ -2428,7 +2436,7 @@ diff -up openssl-1.1.1g/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1g/do The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are diff -up openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh openssl-1.1.1g/include/crypto/bn_dh.h --- openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/include/crypto/bn_dh.h 2020-05-25 18:41:00.488262418 +0200 ++++ openssl-1.1.1g/include/crypto/bn_dh.h 2020-06-05 17:31:28.047776043 +0200 @@ -1,7 +1,7 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. @@ -2478,8 +2486,8 @@ diff -up openssl-1.1.1g/include/crypto/bn_dh.h.fips-dh openssl-1.1.1g/include/cr +extern const BIGNUM _bignum_modp_6144_q; +extern const BIGNUM _bignum_modp_8192_q; diff -up openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh openssl-1.1.1g/include/openssl/obj_mac.h ---- openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh 2020-05-25 18:41:00.458262165 +0200 -+++ openssl-1.1.1g/include/openssl/obj_mac.h 2020-05-25 18:41:00.489262426 +0200 +--- openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh 2020-06-05 17:31:28.038775968 +0200 ++++ openssl-1.1.1g/include/openssl/obj_mac.h 2020-06-05 17:31:28.047776043 +0200 @@ -5115,6 +5115,24 @@ #define SN_ffdhe8192 "ffdhe8192" #define NID_ffdhe8192 1130 @@ -2506,8 +2514,8 @@ diff -up openssl-1.1.1g/include/openssl/obj_mac.h.fips-dh openssl-1.1.1g/include #define NID_ISO_UA 1150 #define OBJ_ISO_UA OBJ_member_body,804L diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c ---- openssl-1.1.1g/ssl/s3_lib.c.fips-dh 2020-05-25 18:41:00.318260988 +0200 -+++ openssl-1.1.1g/ssl/s3_lib.c 2020-05-26 08:52:28.102535244 +0200 +--- openssl-1.1.1g/ssl/s3_lib.c.fips-dh 2020-06-05 17:31:27.996775620 +0200 ++++ openssl-1.1.1g/ssl/s3_lib.c 2020-06-05 17:31:28.047776043 +0200 @@ -4858,13 +4858,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey EVP_PKEY *ssl_dh_to_pkey(DH *dh) { @@ -2561,44 +2569,90 @@ diff -up openssl-1.1.1g/ssl/s3_lib.c.fips-dh openssl-1.1.1g/ssl/s3_lib.c } #endif diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-dh openssl-1.1.1g/ssl/t1_lib.c ---- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-05-25 18:41:00.470262266 +0200 -+++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-26 08:48:55.619713737 +0200 -@@ -2482,7 +2482,7 @@ int SSL_check_chain(SSL *s, X509 *x, EVP +--- openssl-1.1.1g/ssl/t1_lib.c.fips-dh 2020-06-05 17:31:28.042776002 +0200 ++++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-18 14:18:13.518339214 +0200 +@@ -2511,46 +2511,48 @@ int SSL_check_chain(SSL *s, X509 *x, EVP + #ifndef OPENSSL_NO_DH DH *ssl_get_auto_dh(SSL *s) { ++ DH *dhp = NULL; ++ BIGNUM *p = NULL, *g = NULL; int dh_secbits = 80; - if (s->cert->dh_tmp_auto == 2) -+ if (!FIPS_mode() && s->cert->dh_tmp_auto == 2) - return DH_get_1024_160(); - if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { - if (s->s3->tmp.new_cipher->strength_bits == 256) -@@ -2495,7 +2495,7 @@ DH *ssl_get_auto_dh(SSL *s) - dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey); +- return DH_get_1024_160(); +- if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { +- if (s->s3->tmp.new_cipher->strength_bits == 256) +- dh_secbits = 128; +- else +- dh_secbits = 80; +- } else { +- if (s->s3->tmp.cert == NULL) +- return NULL; +- dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey); ++ if (s->cert->dh_tmp_auto != 2) { ++ if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { ++ if (s->s3->tmp.new_cipher->strength_bits == 256) ++ dh_secbits = 128; ++ else ++ dh_secbits = 80; ++ } else { ++ if (s->s3->tmp.cert == NULL) ++ return NULL; ++ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey); ++ } } - if (dh_secbits >= 128) { -+ if (dh_secbits >= 112 || FIPS_mode()) { - DH *dhp = DH_new(); - BIGNUM *p, *g; - if (dhp == NULL) -@@ -2508,8 +2508,10 @@ DH *ssl_get_auto_dh(SSL *s) - } - if (dh_secbits >= 192) - p = BN_get_rfc3526_prime_8192(NULL); +- DH *dhp = DH_new(); +- BIGNUM *p, *g; +- if (dhp == NULL) +- return NULL; +- g = BN_new(); +- if (g == NULL || !BN_set_word(g, 2)) { +- DH_free(dhp); +- BN_free(g); +- return NULL; +- } +- if (dh_secbits >= 192) +- p = BN_get_rfc3526_prime_8192(NULL); - else -+ else if (dh_secbits >= 128) - p = BN_get_rfc3526_prime_3072(NULL); -+ else -+ p = BN_get_rfc3526_prime_2048(NULL); - if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { - DH_free(dhp); - BN_free(p); -@@ -2518,8 +2520,6 @@ DH *ssl_get_auto_dh(SSL *s) - } - return dhp; +- p = BN_get_rfc3526_prime_3072(NULL); +- if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { +- DH_free(dhp); +- BN_free(p); +- BN_free(g); +- return NULL; +- } +- return dhp; ++ dhp = DH_new(); ++ if (dhp == NULL) ++ return NULL; ++ g = BN_new(); ++ if (g == NULL || !BN_set_word(g, 2)) { ++ DH_free(dhp); ++ BN_free(g); ++ return NULL; ++ } ++ if (dh_secbits >= 192) ++ p = BN_get_rfc3526_prime_8192(NULL); ++ else if (dh_secbits >= 152) ++ p = BN_get_rfc3526_prime_4096(NULL); ++ else if (dh_secbits >= 128) ++ p = BN_get_rfc3526_prime_3072(NULL); ++ else if (dh_secbits >= 112 || FIPS_mode()) ++ p = BN_get_rfc3526_prime_2048(NULL); ++ else ++ p = BN_get_rfc2409_prime_1024(NULL); ++ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { ++ DH_free(dhp); ++ BN_free(p); ++ BN_free(g); ++ return NULL; } - if (dh_secbits >= 112) - return DH_get_2048_224(); - return DH_get_1024_160(); +- return DH_get_1024_160(); ++ return dhp; } #endif + diff --git a/SOURCES/openssl-1.1.1-fips.patch b/SOURCES/openssl-1.1.1-fips.patch index 4fd1117..ad295a4 100644 --- a/SOURCES/openssl-1.1.1-fips.patch +++ b/SOURCES/openssl-1.1.1-fips.patch @@ -879,128 +879,6 @@ diff -up openssl-1.1.1e/crypto/ec/ec_pmeth.c.fips openssl-1.1.1e/crypto/ec/ec_pm pkey_ec_init, pkey_ec_copy, pkey_ec_cleanup, -diff -up openssl-1.1.1e/crypto/evp/c_allc.c.fips openssl-1.1.1e/crypto/evp/c_allc.c ---- openssl-1.1.1e/crypto/evp/c_allc.c.fips 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/c_allc.c 2020-03-17 17:30:52.027567375 +0100 -@@ -17,6 +17,9 @@ - void openssl_add_all_ciphers_int(void) - { - -+#ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) { -+#endif - #ifndef OPENSSL_NO_DES - EVP_add_cipher(EVP_des_cfb()); - EVP_add_cipher(EVP_des_cfb1()); -@@ -263,4 +266,70 @@ void openssl_add_all_ciphers_int(void) - EVP_add_cipher(EVP_chacha20_poly1305()); - # endif - #endif -+#ifdef OPENSSL_FIPS -+ } else { -+# ifndef OPENSSL_NO_DES -+ EVP_add_cipher(EVP_des_ede3_cfb()); -+ -+ EVP_add_cipher(EVP_des_ede3_ofb()); -+ -+ EVP_add_cipher(EVP_des_ede3_cbc()); -+ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3"); -+ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3"); -+ -+ EVP_add_cipher(EVP_des_ede3()); -+ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB"); -+ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb"); -+ EVP_add_cipher(EVP_des_ede3_wrap()); -+ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap"); -+# endif -+ -+# ifndef OPENSSL_NO_AES -+ EVP_add_cipher(EVP_aes_128_ecb()); -+ EVP_add_cipher(EVP_aes_128_cbc()); -+ EVP_add_cipher(EVP_aes_128_cfb()); -+ EVP_add_cipher(EVP_aes_128_cfb1()); -+ EVP_add_cipher(EVP_aes_128_cfb8()); -+ EVP_add_cipher(EVP_aes_128_ofb()); -+ EVP_add_cipher(EVP_aes_128_ctr()); -+ EVP_add_cipher(EVP_aes_128_gcm()); -+ EVP_add_cipher(EVP_aes_128_xts()); -+ EVP_add_cipher(EVP_aes_128_ccm()); -+ EVP_add_cipher(EVP_aes_128_wrap()); -+ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap"); -+ EVP_add_cipher(EVP_aes_128_wrap_pad()); -+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); -+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); -+ EVP_add_cipher(EVP_aes_192_ecb()); -+ EVP_add_cipher(EVP_aes_192_cbc()); -+ EVP_add_cipher(EVP_aes_192_cfb()); -+ EVP_add_cipher(EVP_aes_192_cfb1()); -+ EVP_add_cipher(EVP_aes_192_cfb8()); -+ EVP_add_cipher(EVP_aes_192_ofb()); -+ EVP_add_cipher(EVP_aes_192_ctr()); -+ EVP_add_cipher(EVP_aes_192_gcm()); -+ EVP_add_cipher(EVP_aes_192_ccm()); -+ EVP_add_cipher(EVP_aes_192_wrap()); -+ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap"); -+ EVP_add_cipher(EVP_aes_192_wrap_pad()); -+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); -+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); -+ EVP_add_cipher(EVP_aes_256_ecb()); -+ EVP_add_cipher(EVP_aes_256_cbc()); -+ EVP_add_cipher(EVP_aes_256_cfb()); -+ EVP_add_cipher(EVP_aes_256_cfb1()); -+ EVP_add_cipher(EVP_aes_256_cfb8()); -+ EVP_add_cipher(EVP_aes_256_ofb()); -+ EVP_add_cipher(EVP_aes_256_ctr()); -+ EVP_add_cipher(EVP_aes_256_gcm()); -+ EVP_add_cipher(EVP_aes_256_xts()); -+ EVP_add_cipher(EVP_aes_256_ccm()); -+ EVP_add_cipher(EVP_aes_256_wrap()); -+ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap"); -+ EVP_add_cipher(EVP_aes_256_wrap_pad()); -+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); -+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); -+# endif -+ } -+#endif - } -diff -up openssl-1.1.1e/crypto/evp/c_alld.c.fips openssl-1.1.1e/crypto/evp/c_alld.c ---- openssl-1.1.1e/crypto/evp/c_alld.c.fips 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/evp/c_alld.c 2020-03-17 17:30:52.027567375 +0100 -@@ -16,6 +16,9 @@ - - void openssl_add_all_digests_int(void) - { -+#ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) { -+#endif - #ifndef OPENSSL_NO_MD4 - EVP_add_digest(EVP_md4()); - #endif -@@ -57,4 +60,24 @@ void openssl_add_all_digests_int(void) - EVP_add_digest(EVP_sha3_512()); - EVP_add_digest(EVP_shake128()); - EVP_add_digest(EVP_shake256()); -+#ifdef OPENSSL_FIPS -+ } else { -+ EVP_add_digest(EVP_md5_sha1()); -+ EVP_add_digest(EVP_sha1()); -+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); -+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); -+ EVP_add_digest(EVP_sha224()); -+ EVP_add_digest(EVP_sha256()); -+ EVP_add_digest(EVP_sha384()); -+ EVP_add_digest(EVP_sha512()); -+ EVP_add_digest(EVP_sha512_224()); -+ EVP_add_digest(EVP_sha512_256()); -+ EVP_add_digest(EVP_sha3_224()); -+ EVP_add_digest(EVP_sha3_256()); -+ EVP_add_digest(EVP_sha3_384()); -+ EVP_add_digest(EVP_sha3_512()); -+ EVP_add_digest(EVP_shake128()); -+ EVP_add_digest(EVP_shake256()); -+ } -+#endif - } diff -up openssl-1.1.1e/crypto/evp/digest.c.fips openssl-1.1.1e/crypto/evp/digest.c --- openssl-1.1.1e/crypto/evp/digest.c.fips 2020-03-17 15:31:17.000000000 +0100 +++ openssl-1.1.1e/crypto/evp/digest.c 2020-03-17 17:38:57.528093469 +0100 diff --git a/SOURCES/openssl-1.1.1-kdf-selftest.patch b/SOURCES/openssl-1.1.1-kdf-selftest.patch new file mode 100644 index 0000000..3cb3718 --- /dev/null +++ b/SOURCES/openssl-1.1.1-kdf-selftest.patch @@ -0,0 +1,170 @@ +diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info +--- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest 2020-06-03 16:08:36.274849058 +0200 ++++ openssl-1.1.1g/crypto/fips/build.info 2020-06-03 16:11:05.609079372 +0200 +@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\ + fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_ers.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c + + PROGRAMS_NO_INST=\ + fips_standalone_hmac +diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c +--- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest 2020-06-03 16:08:36.337849577 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c 2020-06-03 16:08:36.337849577 +0200 +@@ -0,0 +1,117 @@ ++/* ++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++#include "crypto/fips.h" ++ ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++int FIPS_selftest_pbkdf2(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[32]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, ++ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, ++ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf, ++ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43 ++ }; ++ if (memcmp(out, expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++ ++err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos ++ * 5) appendix A. */ ++int FIPS_selftest_kbkdf(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ char *label = "prf", *prf_input = "test"; ++ static unsigned char input_key[] = { ++ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28, ++ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C, ++ }; ++ static unsigned char output[] = { ++ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE, ++ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86, ++ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B, ++ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95, ++ }; ++ unsigned char result[sizeof(output)] = { 0 }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) { ++ goto err; ++ } ++ ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0 ++ && memcmp(result, output, sizeof(output)) == 0; ++err: ++ ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++int FIPS_selftest_kdf(void) ++{ ++ return FIPS_selftest_pbkdf2() && FIPS_selftest_kbkdf(); ++} ++ ++#endif +diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c +--- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest 2020-06-03 16:08:36.332849536 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-03 16:08:36.338849585 +0200 +@@ -111,6 +111,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_ecdh()) + rv = 0; ++ if (!FIPS_selftest_kdf()) ++ rv = 0; + return rv; + } + +diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h +--- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest 2020-06-03 16:08:36.330849519 +0200 ++++ openssl-1.1.1g/include/crypto/fips.h 2020-06-03 16:08:36.338849585 +0200 +@@ -72,6 +72,9 @@ void FIPS_drbg_stick(int onoff); + int FIPS_selftest_hmac(void); + int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); ++int FIPS_selftest_kbkdf(void); ++int FIPS_selftest_pbkdf2(void); ++int FIPS_selftest_kdf(void); + + int fips_in_post(void); + +diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h +--- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest 2020-06-03 16:08:36.282849124 +0200 ++++ openssl-1.1.1g/include/openssl/fips.h 2020-06-03 16:08:36.338849585 +0200 +@@ -123,6 +123,8 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_DSA 112 + # define FIPS_F_FIPS_SELFTEST_ECDSA 133 + # define FIPS_F_FIPS_SELFTEST_HMAC 113 ++# define FIPS_F_FIPS_SELFTEST_KBKDF 151 ++# define FIPS_F_FIPS_SELFTEST_PBKDF2 152 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 diff --git a/SOURCES/openssl-1.1.1-reneg-no-extms.patch b/SOURCES/openssl-1.1.1-reneg-no-extms.patch new file mode 100644 index 0000000..76adef7 --- /dev/null +++ b/SOURCES/openssl-1.1.1-reneg-no-extms.patch @@ -0,0 +1,44 @@ +diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h +--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200 +@@ -292,6 +292,9 @@ extern "C" { + + # define TLS1_FLAGS_STATELESS 0x0800 + ++/* Set if extended master secret extension required on renegotiation */ ++# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000 ++ + # define SSL3_MT_HELLO_REQUEST 0 + # define SSL3_MT_CLIENT_HELLO 1 + # define SSL3_MT_SERVER_HELLO 2 +diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c +--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200 +@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int + + static int init_ems(SSL *s, unsigned int context) + { +- if (!s->server) ++ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) { + s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS; ++ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS; ++ } + + return 1; + } + + static int final_ems(SSL *s, unsigned int context, int sent) + { ++ /* ++ * Check extended master secret extension is not dropped on ++ * renegotiation. ++ */ ++ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) ++ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS, ++ SSL_R_INCONSISTENT_EXTMS); ++ return 0; ++ } + if (!s->server && s->hit) { + /* + * Check extended master secret extension is consistent with diff --git a/SOURCES/openssl-1.1.1-rewire-fips-drbg.patch b/SOURCES/openssl-1.1.1-rewire-fips-drbg.patch new file mode 100644 index 0000000..4d04d37 --- /dev/null +++ b/SOURCES/openssl-1.1.1-rewire-fips-drbg.patch @@ -0,0 +1,170 @@ +diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c +--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c 2020-06-22 13:32:47.675852917 +0200 +@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx, + int FIPS_drbg_reseed(DRBG_CTX *dctx, + const unsigned char *adin, size_t adinlen) + { ++ int len = (int)adinlen; ++ ++ if (len < 0 || (size_t)len != adinlen) { ++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); ++ return 0; ++ } ++ RAND_seed(adin, len); ++ return 1; ++} ++ ++int FIPS_drbg_reseed_internal(DRBG_CTX *dctx, ++ const unsigned char *adin, size_t adinlen) ++{ + return drbg_reseed(dctx, adin, adinlen, 1); + } + +@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u + int prediction_resistance, + const unsigned char *adin, size_t adinlen) + { ++ int len = (int)outlen; ++ ++ if (len < 0 || (size_t)len != outlen) { ++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG); ++ return 0; ++ } ++ return RAND_bytes(out, len); ++} ++ ++int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen, ++ int prediction_resistance, ++ const unsigned char *adin, size_t adinlen) ++{ + int r = 0; + + if (FIPS_selftest_failed()) { +diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c +--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c 2020-06-22 13:32:47.675852917 +0200 +@@ -57,6 +57,8 @@ + #include + #include + #include ++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal ++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal + #include + #include "fips_rand_lcl.h" + +diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c +--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg 2020-06-22 13:32:47.612852927 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-06-22 13:32:47.675852917 +0200 +@@ -55,6 +55,8 @@ + #include + #include + #include ++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal ++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal + #include + #include "fips_rand_lcl.h" + #include "fips_locl.h" +diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c +--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-22 13:32:47.675852917 +0200 +@@ -79,8 +79,6 @@ int FIPS_selftest(void) + ERR_add_error_data(2, "Type=", "rand_drbg_selftest"); + rv = 0; + } +- if (!FIPS_selftest_drbg()) +- rv = 0; + if (!FIPS_selftest_sha1()) + rv = 0; + if (!FIPS_selftest_sha2()) +diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c +--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.613852927 +0200 ++++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c 2020-06-22 13:36:28.722817967 +0200 +@@ -120,6 +120,7 @@ void FIPS_rand_reset(void) + + int FIPS_rand_seed(const void *buf, int num) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int + if (fips_rand_meth && fips_rand_meth->seed) + fips_rand_meth->seed(buf, num); + return 1; ++#else ++ RAND_seed(buf, num); ++ return 1; ++#endif + } + + int FIPS_rand_bytes(unsigned char *buf, int num) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf, + if (fips_rand_meth && fips_rand_meth->bytes) + return fips_rand_meth->bytes(buf, num); + return 0; ++#else ++ return RAND_bytes(buf, num); ++#endif + } + + int FIPS_rand_status(void) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -149,6 +159,9 @@ int FIPS_rand_status(void) + if (fips_rand_meth && fips_rand_meth->status) + return fips_rand_meth->status(); + return 0; ++#else ++ return RAND_status(); ++#endif + } + + /* Return instantiated strength of PRNG. For DRBG this is an internal +diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h +--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200 ++++ openssl-1.1.1g/include/openssl/fips.h 2020-06-22 13:32:47.675852917 +0200 +@@ -64,6 +64,11 @@ extern "C" { + + int FIPS_selftest(void); + int FIPS_selftest_failed(void); ++ ++ /* ++ * This function is deprecated as it performs selftest of the old FIPS drbg ++ * implementation that is not validated. ++ */ + int FIPS_selftest_drbg_all(void); + + int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, +diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h +--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg 2020-06-22 13:32:47.617852926 +0200 ++++ openssl-1.1.1g/include/openssl/fips_rand.h 2020-06-22 13:32:47.675852917 +0200 +@@ -60,6 +60,20 @@ + # ifdef __cplusplus + extern "C" { + # endif ++ ++/* ++ * IMPORTANT NOTE: ++ * All functions in this header file are deprecated and should not be used ++ * as they use the old FIPS_drbg implementation that is not FIPS validated ++ * anymore. ++ * To provide backwards compatibility for applications that need FIPS compliant ++ * RNG number generation and use FIPS_drbg_generate, this function was ++ * re-wired to call the FIPS validated DRBG instance instead through ++ * the RAND_bytes() call. ++ * ++ * All these functions will be removed in future. ++ */ ++ + typedef struct drbg_ctx_st DRBG_CTX; + /* DRBG external flags */ + /* Flag for CTR mode only: use derivation function ctr_df */ diff --git a/SOURCES/openssl-1.1.1-seclevel.patch b/SOURCES/openssl-1.1.1-seclevel.patch index 6b30d7d..c6751a5 100644 --- a/SOURCES/openssl-1.1.1-seclevel.patch +++ b/SOURCES/openssl-1.1.1-seclevel.patch @@ -1,7 +1,7 @@ -diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c ---- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200 -+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-10-01 14:34:43.083145020 +0200 -@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c +diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c +--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2020-06-05 17:16:54.835536823 +0200 +@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c } static const int minbits_table[] = { 80, 112, 128, 192, 256 }; @@ -9,20 +9,23 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509 static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table); /* -@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT +@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) return 0; - - return secbits >= minbits_table[level - 1]; -+ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */ -+ if (FIPS_mode()) ++ /* ++ * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic ++ * disable SHA1 flag is not set. ++ */ ++ if ((ctx->param->flags & 0x40000000) || FIPS_mode()) + return secbits >= minbits_table[level - 1]; + return secbits >= minbits_digest_table[level - 1]; } -diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod ---- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200 -+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-10-01 14:34:43.083145020 +0200 +diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod +--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod 2020-06-04 15:48:01.608178833 +0200 @@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited =item B @@ -36,23 +39,115 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl- In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled. -diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c ---- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200 -+++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200 -@@ -983,6 +983,9 @@ static int ssl_security_default_callback +diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c +--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/ssl/ssl_cert.c 2020-06-05 17:10:11.842198401 +0200 +@@ -27,6 +27,7 @@ + static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, + int op, int bits, int nid, void *other, + void *ex); ++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx); + + static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT; + static volatile int ssl_x509_store_ctx_idx = -1; +@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_ + X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); + + /* Set suite B flags if needed */ +- X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s)); ++ X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL)); + if (!X509_STORE_CTX_set_ex_data + (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) { + goto end; +@@ -953,12 +954,33 @@ static int ssl_security_default_callback return 0; break; default: + /* allow SHA1 in SECLEVEL 2 in non FIPS mode */ -+ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode()) ++ if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx)) + break; if (bits < minbits) return 0; } -diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t ---- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200 -+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-10-01 14:34:43.084145044 +0200 -@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver + return 1; + } + ++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx) ++{ ++ unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */ ++ const CERT *c; ++ ++ if (FIPS_mode()) ++ return ret; ++ ++ if (ctx != NULL) { ++ c = ctx->cert; ++ } else { ++ c = s->cert; ++ } ++ if (tls1_cert_sigalgs_have_sha1(c)) ++ return 0; ++ return ret; ++} ++ + int ssl_security(const SSL *s, int op, int bits, int nid, void *other) + { + return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex); +diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h +--- openssl-1.1.1g/ssl/ssl_local.h.seclevel 2020-06-04 15:48:01.602178783 +0200 ++++ openssl-1.1.1g/ssl/ssl_local.h 2020-06-05 17:02:22.666313410 +0200 +@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC + __owur int tls1_process_sigalgs(SSL *s); + __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey); + __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd); ++int tls1_cert_sigalgs_have_sha1(const CERT *c); + __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs); + # ifndef OPENSSL_NO_EC + __owur int tls_check_sigalg_curve(const SSL *s, int curve); +diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c +--- openssl-1.1.1g/ssl/t1_lib.c.seclevel 2020-06-04 15:48:01.654179221 +0200 ++++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-05 17:02:40.268459157 +0200 +@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int + return 0; + } + ++static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen) ++{ ++ size_t i; ++ ++ for (i = 0; i < sigalgslen; i++, sigalgs++) { ++ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs); ++ ++ if (lu == NULL) ++ continue; ++ if (lu->hash == NID_sha1) ++ return 1; ++ } ++ return 0; ++} ++ ++ ++int tls1_cert_sigalgs_have_sha1(const CERT *c) ++{ ++ if (c->client_sigalgs != NULL) { ++ if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen)) ++ return 1; ++ } ++ if (c->conf_sigalgs != NULL) { ++ if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen)) ++ return 1; ++ return 0; ++ } ++ return 1; ++} ++ + static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid) + { + int sig_nid, use_pc_sigalgs = 0; +diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t +--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel 2020-04-21 14:22:39.000000000 +0200 ++++ openssl-1.1.1g/test/recipes/25-test_verify.t 2020-06-04 15:48:01.608178833 +0200 +@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ), "CA with PSS signature using SHA256"); diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index 14d4912..fadc22e 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1g -Release: 5%{?dist} +Release: 9%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -68,6 +68,10 @@ Patch61: openssl-1.1.1-edk2-build.patch Patch62: openssl-1.1.1-fips-curves.patch Patch65: openssl-1.1.1-fips-drbg-selftest.patch Patch66: openssl-1.1.1-fips-dh.patch +Patch67: openssl-1.1.1-kdf-selftest.patch +Patch68: openssl-1.1.1-reneg-no-extms.patch +Patch69: openssl-1.1.1-alpn-cb.patch +Patch70: openssl-1.1.1-rewire-fips-drbg.patch # Backported fixes including security fixes Patch52: openssl-1.1.1-s390x-update.patch Patch53: openssl-1.1.1-fips-crng-test.patch @@ -185,6 +189,11 @@ cp %{SOURCE13} test/ %patch62 -p1 -b .fips-curves %patch65 -p1 -b .drbg-selftest %patch66 -p1 -b .fips-dh +%patch67 -p1 -b .kdf-selftest +%patch68 -p1 -b .reneg-no-extms +%patch69 -p1 -b .alpn-cb +%patch70 -p1 -b .rewire-fips-drbg + %build # Figure out which flags we want to use. @@ -468,6 +477,20 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog +* Tue Jun 23 2020 Tomáš Mráz 1.1.1g-9 +- Rewire FIPS_drbg API to use the RAND_DRBG +- Use the well known DH groups in TLS even for 2048 and 1024 bit parameters + +* Mon Jun 8 2020 Tomáš Mráz 1.1.1g-7 +- Disallow dropping Extended Master Secret extension + on renegotiation +- Return alert from s_server if ALPN protocol does not match +- SHA1 is allowed in @SECLEVEL=2 only if allowed by + TLS SigAlgs configuration + +* Wed Jun 3 2020 Tomáš Mráz 1.1.1g-6 +- Add FIPS selftest for PBKDF2 and KBKDF + * Wed May 27 2020 Tomáš Mráz 1.1.1g-5 - Allow only well known DH groups in the FIPS mode