automatic import of compat-openssl11openeuler24.03_LTS openeuler23.09

author: CoprDistGit <infra@openeuler.org> 2024-08-01 14:09:41 +0000
committer: CoprDistGit <infra@openeuler.org> 2024-08-01 14:09:41 +0000
commit: d8253271bee23ac54145c0ba1d15f48e6620bb5e (patch)
tree: 470a23e7c4bb3541b4ff08932ce1fbd46fe59c9c /openssl-1.1.1-rewire-fips-drbg.patch
parent: 17146a82118c2690c851cbb31077186594ba86d6 (diff)
1 files changed, 170 insertions, 0 deletions
diff --git a/openssl-1.1.1-rewire-fips-drbg.patch b/openssl-1.1.1-rewire-fips-drbg.patch
new file mode 100644
index 0000000..4d04d37
--- /dev/null
+++ b/openssl-1.1.1-rewire-fips-drbg.patch
@@ -0,0 +1,170 @@
+diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c
+--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg	2020-06-22 13:32:47.611852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c	2020-06-22 13:32:47.675852917 +0200
+@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx,
+ int FIPS_drbg_reseed(DRBG_CTX *dctx,
+                      const unsigned char *adin, size_t adinlen)
+ {
++    int len = (int)adinlen;
++
++    if (len < 0 || (size_t)len != adinlen) {
++        FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
++        return 0;
++    }
++    RAND_seed(adin, len);
++    return 1;
++}
++
++int FIPS_drbg_reseed_internal(DRBG_CTX *dctx,
++                     const unsigned char *adin, size_t adinlen)
++{
+     return drbg_reseed(dctx, adin, adinlen, 1);
+ }
+ 
+@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u
+                        int prediction_resistance,
+                        const unsigned char *adin, size_t adinlen)
+ {
++    int len = (int)outlen;
++
++    if (len < 0 || (size_t)len != outlen) {
++        FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG);
++        return 0;
++    }
++    return RAND_bytes(out, len);
++}
++
++int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++                       int prediction_resistance,
++                       const unsigned char *adin, size_t adinlen)
++{
+     int r = 0;
+ 
+     if (FIPS_selftest_failed()) {
+diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c
+--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg	2020-06-22 13:32:47.611852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c	2020-06-22 13:32:47.675852917 +0200
+@@ -57,6 +57,8 @@
+ #include <openssl/err.h>
+ #include <openssl/rand.h>
+ #include <openssl/fips.h>
++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
+ #include <openssl/fips_rand.h>
+ #include "fips_rand_lcl.h"
+ 
+diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
+--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg	2020-06-22 13:32:47.612852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c	2020-06-22 13:32:47.675852917 +0200
+@@ -55,6 +55,8 @@
+ #include <openssl/crypto.h>
+ #include <openssl/err.h>
+ #include <openssl/fips.h>
++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
+ #include <openssl/fips_rand.h>
+ #include "fips_rand_lcl.h"
+ #include "fips_locl.h"
+diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c
+--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg	2020-06-22 13:32:47.672852918 +0200
++++ openssl-1.1.1g/crypto/fips/fips_post.c	2020-06-22 13:32:47.675852917 +0200
+@@ -79,8 +79,6 @@ int FIPS_selftest(void)
+         ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
+         rv = 0;
+     }
+-    if (!FIPS_selftest_drbg())
+-        rv = 0;
+     if (!FIPS_selftest_sha1())
+         rv = 0;
+     if (!FIPS_selftest_sha2())
+diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c
+--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg	2020-06-22 13:32:47.613852927 +0200
++++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c	2020-06-22 13:36:28.722817967 +0200
+@@ -120,6 +120,7 @@ void FIPS_rand_reset(void)
+ 
+ int FIPS_rand_seed(const void *buf, int num)
+ {
++#if 0
+     if (!fips_approved_rand_meth && FIPS_module_mode()) {
+         FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
+         return 0;
+@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int
+     if (fips_rand_meth && fips_rand_meth->seed)
+         fips_rand_meth->seed(buf, num);
+     return 1;
++#else
++    RAND_seed(buf, num);
++    return 1;
++#endif
+ }
+ 
+ int FIPS_rand_bytes(unsigned char *buf, int num)
+ {
++#if 0
+     if (!fips_approved_rand_meth && FIPS_module_mode()) {
+         FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
+         return 0;
+@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf,
+     if (fips_rand_meth && fips_rand_meth->bytes)
+         return fips_rand_meth->bytes(buf, num);
+     return 0;
++#else
++    return RAND_bytes(buf, num);
++#endif
+ }
+ 
+ int FIPS_rand_status(void)
+ {
++#if 0
+     if (!fips_approved_rand_meth && FIPS_module_mode()) {
+         FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
+         return 0;
+@@ -149,6 +159,9 @@ int FIPS_rand_status(void)
+     if (fips_rand_meth && fips_rand_meth->status)
+         return fips_rand_meth->status();
+     return 0;
++#else
++    return RAND_status();
++#endif
+ }
+ 
+ /* Return instantiated strength of PRNG. For DRBG this is an internal
+diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h
+--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg	2020-06-22 13:32:47.672852918 +0200
++++ openssl-1.1.1g/include/openssl/fips.h	2020-06-22 13:32:47.675852917 +0200
+@@ -64,6 +64,11 @@ extern "C" {
+ 
+     int FIPS_selftest(void);
+     int FIPS_selftest_failed(void);
++
++    /*
++     * This function is deprecated as it performs selftest of the old FIPS drbg
++     * implementation that is not validated.
++     */
+     int FIPS_selftest_drbg_all(void);
+ 
+     int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
+diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h
+--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg	2020-06-22 13:32:47.617852926 +0200
++++ openssl-1.1.1g/include/openssl/fips_rand.h	2020-06-22 13:32:47.675852917 +0200
+@@ -60,6 +60,20 @@
+ #  ifdef  __cplusplus
+ extern "C" {
+ #  endif
++
++/*
++ * IMPORTANT NOTE:
++ * All functions in this header file are deprecated and should not be used
++ * as they use the old FIPS_drbg implementation that is not FIPS validated
++ * anymore.
++ * To provide backwards compatibility for applications that need FIPS compliant
++ * RNG number generation and use FIPS_drbg_generate, this function was
++ * re-wired to call the FIPS validated DRBG instance instead through
++ * the RAND_bytes() call.
++ *
++ * All these functions will be removed in future.
++ */
++
+     typedef struct drbg_ctx_st DRBG_CTX;
+ /* DRBG external flags */
+ /* Flag for CTR mode only: use derivation function ctr_df */
author	CoprDistGit <infra@openeuler.org>	2024-08-01 14:09:41 +0000
committer	CoprDistGit <infra@openeuler.org>	2024-08-01 14:09:41 +0000
commit	d8253271bee23ac54145c0ba1d15f48e6620bb5e (patch)
tree	470a23e7c4bb3541b4ff08932ce1fbd46fe59c9c /openssl-1.1.1-rewire-fips-drbg.patch
parent	17146a82118c2690c851cbb31077186594ba86d6 (diff)