public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Simo Sorce <simo@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: Backport patches to fix external providers compatibility issues
Date: Tue, 09 Jun 2026 12:45:06 GMT [thread overview]
Message-ID: <178100910600.1.577968703288435285.rpms-openssl-e9a051193338@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : e9a051193338320cfd00dfe44efbaa174bf0522f
Author : Simo Sorce <simo@redhat.com>
Date : 2022-11-16T14:27:12-05:00
Stats : +756/-2 in 7 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/e9a051193338320cfd00dfe44efbaa174bf0522f?branch=rebase_40beta
Log:
Backport patches to fix external providers compatibility issues
---
diff --git a/.gitignore b/.gitignore
index 45b4c39..57006f1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,5 @@
.build*.log
clog
-000*.patch
*.src.rpm
openssl-1.0.0a-usa.tar.bz2
/openssl-1.0.0b-usa.tar.bz2
diff --git a/0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch b/0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch
new file mode 100644
index 0000000..660b237
--- /dev/null
+++ b/0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch
@@ -0,0 +1,41 @@
+From c342004e07fd2c03a672f79353d13554fe0ffdaf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= <tomas@openssl.org>
+Date: Tue, 13 Sep 2022 14:37:05 +1000
+Subject: [PATCH] EVP_PKEY_eq: regain compatibility with the 3.0.0 FIPS
+ provider
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19201)
+---
+ crypto/evp/p_lib.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
+index 170cb89cb0..c8c342b3e9 100644
+--- a/crypto/evp/p_lib.c
++++ b/crypto/evp/p_lib.c
+@@ -339,9 +339,16 @@ int EVP_PKEY_eq(const EVP_PKEY *a, const EVP_PKEY *b)
+ if (a == NULL || b == NULL)
+ return 0;
+
+- if (a->keymgmt != NULL || b->keymgmt != NULL)
+- return evp_pkey_cmp_any(a, b, (SELECT_PARAMETERS
+- | OSSL_KEYMGMT_SELECT_KEYPAIR));
++ if (a->keymgmt != NULL || b->keymgmt != NULL) {
++ int selection = SELECT_PARAMETERS;
++
++ if (evp_keymgmt_util_has((EVP_PKEY *)a, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
++ && evp_keymgmt_util_has((EVP_PKEY *)b, OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
++ selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
++ else
++ selection |= OSSL_KEYMGMT_SELECT_KEYPAIR;
++ return evp_pkey_cmp_any(a, b, selection);
++ }
+
+ /* All legacy keys */
+ if (a->type != b->type)
+--
+2.38.1
+
diff --git a/0082-Propagate-selection-all-the-way-on-key-export.patch b/0082-Propagate-selection-all-the-way-on-key-export.patch
new file mode 100644
index 0000000..d09fc63
--- /dev/null
+++ b/0082-Propagate-selection-all-the-way-on-key-export.patch
@@ -0,0 +1,221 @@
+From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 10 Nov 2022 10:46:32 -0500
+Subject: [PATCH 1/3] Propagate selection all the way on key export
+
+EVP_PKEY_eq() is used to check, among other things, if a certificate
+public key corresponds to a private key. When the private key belongs to
+a provider that does not allow to export private keys this currently
+fails as the internal functions used to import/export keys ignored the
+selection given (which specifies that only the public key needs to be
+considered) and instead tries to export everything.
+
+This patch allows to propagate the selection all the way down including
+adding it in the cache so that a following operation actually looking
+for other selection parameters does not mistakenly pick up an export
+containing only partial information.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19648)
+
+diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c
+index b06730dc7a..2d0238ee27 100644
+--- a/crypto/evp/keymgmt_lib.c
++++ b/crypto/evp/keymgmt_lib.c
+@@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
+ export_cb, export_cbarg);
+ }
+
+-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
++void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++ int selection)
+ {
+ struct evp_keymgmt_util_try_import_data_st import_data;
+ OP_CACHE_ELEM *op;
+@@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
+ */
+ if (pk->dirty_cnt == pk->dirty_cnt_copy) {
+ /* If this key is already exported to |keymgmt|, no more to do */
+- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
++ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
+ if (op != NULL && op->keymgmt != NULL) {
+ void *ret = op->keydata;
+
+@@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
+ /* Setup for the export callback */
+ import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */
+ import_data.keymgmt = keymgmt;
+- import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
++ import_data.selection = selection;
+
+ /*
+ * The export function calls the callback (evp_keymgmt_util_try_import),
+ * which does the import for us. If successful, we're done.
+ */
+- if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL,
++ if (!evp_keymgmt_util_export(pk, selection,
+ &evp_keymgmt_util_try_import, &import_data))
+ /* If there was an error, bail out */
+ return NULL;
+@@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
+ return NULL;
+ }
+ /* Check to make sure some other thread didn't get there first */
+- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt);
++ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection);
+ if (op != NULL && op->keydata != NULL) {
+ void *ret = op->keydata;
+
+@@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt)
+ evp_keymgmt_util_clear_operation_cache(pk, 0);
+
+ /* Add the new export to the operation cache */
+- if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) {
++ if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata,
++ selection)) {
+ CRYPTO_THREAD_unlock(pk->lock);
+ evp_keymgmt_freedata(keymgmt, import_data.keydata);
+ return NULL;
+@@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking)
+ }
+
+ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
+- EVP_KEYMGMT *keymgmt)
++ EVP_KEYMGMT *keymgmt,
++ int selection)
+ {
+ int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache);
+ OP_CACHE_ELEM *p;
+@@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
+ */
+ for (i = 0; i < end; i++) {
+ p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i);
+- if (keymgmt == p->keymgmt)
++ if (keymgmt == p->keymgmt && (p->selection & selection) == selection)
+ return p;
+ }
+ return NULL;
+ }
+
+-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
+- EVP_KEYMGMT *keymgmt, void *keydata)
++int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++ void *keydata, int selection)
+ {
+ OP_CACHE_ELEM *p = NULL;
+
+@@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
+ return 0;
+ p->keydata = keydata;
+ p->keymgmt = keymgmt;
++ p->selection = selection;
+
+ if (!EVP_KEYMGMT_up_ref(keymgmt)) {
+ OPENSSL_free(p);
+@@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
+ ok = 1;
+ if (keydata1 != NULL) {
+ tmp_keydata =
+- evp_keymgmt_util_export_to_provider(pk1, keymgmt2);
++ evp_keymgmt_util_export_to_provider(pk1, keymgmt2,
++ selection);
+ ok = (tmp_keydata != NULL);
+ }
+ if (ok) {
+@@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection)
+ ok = 1;
+ if (keydata2 != NULL) {
+ tmp_keydata =
+- evp_keymgmt_util_export_to_provider(pk2, keymgmt1);
++ evp_keymgmt_util_export_to_provider(pk2, keymgmt1,
++ selection);
+ ok = (tmp_keydata != NULL);
+ }
+ if (ok) {
+diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
+index 70d17ec37e..905e9c9ce4 100644
+--- a/crypto/evp/p_lib.c
++++ b/crypto/evp/p_lib.c
+@@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
+ {
+ EVP_KEYMGMT *allocated_keymgmt = NULL;
+ EVP_KEYMGMT *tmp_keymgmt = NULL;
++ int selection = OSSL_KEYMGMT_SELECT_ALL;
+ void *keydata = NULL;
+ int check;
+
+@@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
+ if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) {
+ if (!CRYPTO_THREAD_read_lock(pk->lock))
+ goto end;
+- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
++ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt,
++ selection);
+
+ /*
+ * If |tmp_keymgmt| is present in the operation cache, it means
+@@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
+ EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */
+
+ /* Check to make sure some other thread didn't get there first */
+- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt);
++ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection);
+ if (op != NULL && op->keymgmt != NULL) {
+ void *tmp_keydata = op->keydata;
+
+@@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
+ }
+
+ /* Add the new export to the operation cache */
+- if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) {
++ if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata,
++ selection)) {
+ CRYPTO_THREAD_unlock(pk->lock);
+ evp_keymgmt_freedata(tmp_keymgmt, keydata);
+ keydata = NULL;
+@@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
+ }
+ #endif /* FIPS_MODULE */
+
+- keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt);
++ keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection);
+
+ end:
+ /*
+diff --git a/include/crypto/evp.h b/include/crypto/evp.h
+index f601b72807..dbbdcccbda 100644
+--- a/include/crypto/evp.h
++++ b/include/crypto/evp.h
+@@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
+ typedef struct {
+ EVP_KEYMGMT *keymgmt;
+ void *keydata;
++ int selection;
+ } OP_CACHE_ELEM;
+
+ DEFINE_STACK_OF(OP_CACHE_ELEM)
+@@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata);
+
+ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
+ OSSL_CALLBACK *export_cb, void *export_cbarg);
+-void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
++void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++ int selection);
+ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
+- EVP_KEYMGMT *keymgmt);
++ EVP_KEYMGMT *keymgmt,
++ int selection);
+ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
+-int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
+- EVP_KEYMGMT *keymgmt, void *keydata);
++int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++ void *keydata, int selection);
+ void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
+ void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
+ int selection, const OSSL_PARAM params[]);
+--
+2.38.1
+
diff --git a/0083-Update-documentation-for-keymgmt-export-utils.patch b/0083-Update-documentation-for-keymgmt-export-utils.patch
new file mode 100644
index 0000000..9639360
--- /dev/null
+++ b/0083-Update-documentation-for-keymgmt-export-utils.patch
@@ -0,0 +1,52 @@
+From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 10 Nov 2022 16:58:28 -0500
+Subject: [PATCH 2/3] Update documentation for keymgmt export utils
+
+Change function prototypes and explain how to use the selection
+argument.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19648)
+
+diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
+index 1fee9f6ff9..7099e44964 100644
+--- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
++++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
+@@ -20,12 +20,14 @@ OP_CACHE_ELEM
+
+ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection,
+ OSSL_CALLBACK *export_cb, void *export_cbarg);
+- void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
++ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++ int selection);
+ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,
+- EVP_KEYMGMT *keymgmt);
++ EVP_KEYMGMT *keymgmt,
++ int selection);
+ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);
+- int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk,
+- EVP_KEYMGMT *keymgmt, void *keydata);
++ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,
++ void *keydata, int selection);
+ void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);
+ void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt,
+ int selection, const OSSL_PARAM params[]);
+@@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a
+ given key I<target> via a B<EVP_KEYMGMT> interface. This is used as a
+ helper for L<EVP_PKEY_fromdata(3)>.
+
++In all functions that take a I<selection> argument, the selection is used to
++constraint the information requested on export. It is also used in the cache
++so that key data is guaranteed to contain all the information requested in
++the selection.
++
+ =head1 RETURN VALUES
+
+ evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata()
+--
+2.38.1
+
diff --git a/0084-Add-test-for-EVP_PKEY_eq.patch b/0084-Add-test-for-EVP_PKEY_eq.patch
new file mode 100644
index 0000000..06a3bae
--- /dev/null
+++ b/0084-Add-test-for-EVP_PKEY_eq.patch
@@ -0,0 +1,357 @@
+From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 11 Nov 2022 12:18:26 -0500
+Subject: [PATCH 3/3] Add test for EVP_PKEY_eq
+
+This tests that the comparison work even if a provider can only return
+a public key.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19648)
+
+diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c
+index d556551bb6..5e92e72d4b 100644
+--- a/test/fake_rsaprov.c
++++ b/test/fake_rsaprov.c
+@@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has;
+ static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query;
+ static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import;
+ static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes;
++static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export;
++static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes;
+ static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load;
+
+ static int has_selection;
+ static int imptypes_selection;
++static int exptypes_selection;
+ static int query_id;
+
++struct fake_rsa_keydata {
++ int selection;
++ int status;
++};
++
+ static void *fake_rsa_keymgmt_new(void *provctx)
+ {
+- unsigned char *keydata = OPENSSL_zalloc(1);
++ struct fake_rsa_keydata *key;
+
+- TEST_ptr(keydata);
++ if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata))))
++ return NULL;
+
+ /* clear test globals */
+ has_selection = 0;
+ imptypes_selection = 0;
++ exptypes_selection = 0;
+ query_id = 0;
+
+- return keydata;
++ return key;
+ }
+
+ static void fake_rsa_keymgmt_free(void *keydata)
+@@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id)
+ static int fake_rsa_keymgmt_import(void *keydata, int selection,
+ const OSSL_PARAM *p)
+ {
+- unsigned char *fake_rsa_key = keydata;
++ struct fake_rsa_keydata *fake_rsa_key = keydata;
+
+ /* key was imported */
+- *fake_rsa_key = 1;
++ fake_rsa_key->status = 1;
+
+ return 1;
+ }
+
++static unsigned char fake_rsa_n[] =
++ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
++ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
++ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
++ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
++ "\xF5";
++
++static unsigned char fake_rsa_e[] = "\x11";
++
++static unsigned char fake_rsa_d[] =
++ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
++ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
++ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
++ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
++
++static unsigned char fake_rsa_p[] =
++ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
++ "\x0D";
++
++static unsigned char fake_rsa_q[] =
++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
++ "\x89";
++
++static unsigned char fake_rsa_dmp1[] =
++ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
++ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
++
++static unsigned char fake_rsa_dmq1[] =
++ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
++ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
++ "\x51";
++
++static unsigned char fake_rsa_iqmp[] =
++ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
++ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
++
++OSSL_PARAM *fake_rsa_key_params(int priv)
++{
++ if (priv) {
++ OSSL_PARAM params[] = {
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
++ sizeof(fake_rsa_n) -1),
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
++ sizeof(fake_rsa_e) -1),
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d,
++ sizeof(fake_rsa_d) -1),
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p,
++ sizeof(fake_rsa_p) -1),
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q,
++ sizeof(fake_rsa_q) -1),
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1,
++ sizeof(fake_rsa_dmp1) -1),
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1,
++ sizeof(fake_rsa_dmq1) -1),
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp,
++ sizeof(fake_rsa_iqmp) -1),
++ OSSL_PARAM_END
++ };
++ return OSSL_PARAM_dup(params);
++ } else {
++ OSSL_PARAM params[] = {
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n,
++ sizeof(fake_rsa_n) -1),
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e,
++ sizeof(fake_rsa_e) -1),
++ OSSL_PARAM_END
++ };
++ return OSSL_PARAM_dup(params);
++ }
++}
++
++static int fake_rsa_keymgmt_export(void *keydata, int selection,
++ OSSL_CALLBACK *param_callback, void *cbarg)
++{
++ OSSL_PARAM *params = NULL;
++ int ret;
++
++ if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY)
++ return 0;
++
++ if (!TEST_ptr(params = fake_rsa_key_params(0)))
++ return 0;
++
++ ret = param_callback(params, cbarg);
++ OSSL_PARAM_free(params);
++ return ret;
++}
++
+ static const OSSL_PARAM fake_rsa_import_key_types[] = {
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
+@@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection)
+ return fake_rsa_import_key_types;
+ }
+
++static const OSSL_PARAM fake_rsa_export_key_types[] = {
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0),
++ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0),
++ OSSL_PARAM_END
++};
++
++static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection)
++{
++ /* record global for checking */
++ exptypes_selection = selection;
++
++ return fake_rsa_export_key_types;
++}
++
+ static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz)
+ {
+- unsigned char *key = NULL;
++ struct fake_rsa_keydata *key = NULL;
+
+- if (reference_sz != sizeof(key))
++ if (reference_sz != sizeof(*key))
+ return NULL;
+
+- key = *(unsigned char **)reference;
+- if (*key != 1)
++ key = *(struct fake_rsa_keydata **)reference;
++ if (key->status != 1)
+ return NULL;
+
+ /* detach the reference */
+- *(unsigned char **)reference = NULL;
++ *(struct fake_rsa_keydata **)reference = NULL;
+
+ return key;
+ }
+@@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ {
+ unsigned char *gctx = genctx;
+ static const unsigned char inited[] = { 1 };
+- unsigned char *keydata;
++ struct fake_rsa_keydata *keydata;
+
+ if (!TEST_ptr(gctx)
+ || !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited)))
+@@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
+ if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL)))
+ return NULL;
+
+- *keydata = 2;
++ keydata->status = 2;
+ return keydata;
+ }
+
+@@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = {
+ { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import },
+ { OSSL_FUNC_KEYMGMT_IMPORT_TYPES,
+ (void (*)(void))fake_rsa_keymgmt_imptypes },
++ { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export },
++ { OSSL_FUNC_KEYMGMT_EXPORT_TYPES,
++ (void (*)(void))fake_rsa_keymgmt_exptypes },
+ { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load },
+ { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init },
+ { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen },
+@@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey,
+ const OSSL_PARAM params[])
+ {
+ unsigned char *sigctx = ctx;
+- unsigned char *keydata = provkey;
++ struct fake_rsa_keydata *keydata = provkey;
+
+ /* we must have a ctx */
+ if (!TEST_ptr(sigctx))
+ return 0;
+
+ /* we must have some initialized key */
+- if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0))
++ if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0))
+ return 0;
+
+ /* record that sign init was called */
+@@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx,
+ unsigned char *storectx = loaderctx;
+ OSSL_PARAM params[4];
+ int object_type = OSSL_OBJECT_PKEY;
+- void *key = NULL;
++ struct fake_rsa_keydata *key = NULL;
+ int rv = 0;
+
+ switch (*storectx) {
+@@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx,
+ /* The address of the key becomes the octet string */
+ params[2] =
+ OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE,
+- &key, sizeof(key));
++ &key, sizeof(*key));
+ params[3] = OSSL_PARAM_construct_end();
+ rv = object_cb(params, object_cbarg);
+ *storectx = 1;
+diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h
+index 57de1ecf8d..190c46a285 100644
+--- a/test/fake_rsaprov.h
++++ b/test/fake_rsaprov.h
+@@ -12,3 +12,4 @@
+ /* Fake RSA provider implementation */
+ OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx);
+ void fake_rsa_finish(OSSL_PROVIDER *p);
++OSSL_PARAM *fake_rsa_key_params(int priv);
+diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c
+index 5c398398f4..3b190baa5e 100644
+--- a/test/provider_pkey_test.c
++++ b/test/provider_pkey_test.c
+@@ -176,6 +176,67 @@ end:
+ return ret;
+ }
+
++static int test_pkey_eq(void)
++{
++ OSSL_PROVIDER *deflt = NULL;
++ OSSL_PROVIDER *fake_rsa = NULL;
++ EVP_PKEY *pkey_fake = NULL;
++ EVP_PKEY *pkey_dflt = NULL;
++ EVP_PKEY_CTX *ctx = NULL;
++ OSSL_PARAM *params = NULL;
++ int ret = 0;
++
++ if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx)))
++ return 0;
++
++ if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default")))
++ goto end;
++
++ /* Construct a public key for fake-rsa */
++ if (!TEST_ptr(params = fake_rsa_key_params(0))
++ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
++ "provider=fake-rsa"))
++ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
++ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY,
++ params))
++ || !TEST_ptr(pkey_fake))
++ goto end;
++
++ EVP_PKEY_CTX_free(ctx);
++ ctx = NULL;
++ OSSL_PARAM_free(params);
++ params = NULL;
++
++ /* Construct a public key for default */
++ if (!TEST_ptr(params = fake_rsa_key_params(0))
++ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA",
++ "provider=default"))
++ || !TEST_true(EVP_PKEY_fromdata_init(ctx))
++ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY,
++ params))
++ || !TEST_ptr(pkey_dflt))
++ goto end;
++
++ EVP_PKEY_CTX_free(ctx);
++ ctx = NULL;
++ OSSL_PARAM_free(params);
++ params = NULL;
++
++ /* now test for equality */
++ if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1))
++ goto end;
++
++ ret = 1;
++end:
++ fake_rsa_finish(fake_rsa);
++ OSSL_PROVIDER_unload(deflt);
++ EVP_PKEY_CTX_free(ctx);
++ EVP_PKEY_free(pkey_fake);
++ EVP_PKEY_free(pkey_dflt);
++ OSSL_PARAM_free(params);
++ return ret;
++}
++
+ static int test_pkey_store(int idx)
+ {
+ OSSL_PROVIDER *deflt = NULL;
+@@ -235,6 +296,7 @@ int setup_tests(void)
+
+ ADD_TEST(test_pkey_sig);
+ ADD_TEST(test_alternative_keygen_init);
++ ADD_TEST(test_pkey_eq);
+ ADD_ALL_TESTS(test_pkey_store, 2);
+
+ return 1;
+--
+2.38.1
+
diff --git a/0085-Drop-explicit-check-for-engines-in-opt_legacy_okay.patch b/0085-Drop-explicit-check-for-engines-in-opt_legacy_okay.patch
new file mode 100644
index 0000000..57a0919
--- /dev/null
+++ b/0085-Drop-explicit-check-for-engines-in-opt_legacy_okay.patch
@@ -0,0 +1,75 @@
+From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Mon, 14 Nov 2022 10:25:15 -0500
+Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay
+
+The providers indication should always indicate that this is not a
+legacy request.
+This makes a check for engines redundant as the default return is that
+legacy is ok if there are no explicit providers.
+
+Fixes #19662
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19671)
+---
+ apps/lib/apps.c | 8 --------
+ test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 8 deletions(-)
+ create mode 100755 test/recipes/20-test_legacy_okay.t
+
+diff --git a/apps/lib/apps.c b/apps/lib/apps.c
+index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644
+--- a/apps/lib/apps.c
++++ b/apps/lib/apps.c
+@@ -3405,14 +3405,6 @@ int opt_legacy_okay(void)
+ {
+ int provider_options = opt_provider_option_given();
+ int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL;
+-#ifndef OPENSSL_NO_ENGINE
+- ENGINE *e = ENGINE_get_first();
+-
+- if (e != NULL) {
+- ENGINE_free(e);
+- return 1;
+- }
+-#endif
+ /*
+ * Having a provider option specified or a custom library context or
+ * property query, is a sure sign we're not using legacy.
+diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t
+new file mode 100755
+index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56
+--- /dev/null
++++ b/test/recipes/20-test_legacy_okay.t
+@@ -0,0 +1,23 @@
++#! /usr/bin/env perl
++# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the Apache License 2.0 (the "License"). You may not use
++# this file except in compliance with the License. You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++use strict;
++use warnings;
++
++use OpenSSL::Test;
++
++setup("test_legacy");
++
++plan tests => 3;
++
++ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file");
++
++ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest");
++
++ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1',
++ 'rand.txt'])), "Fail to generate a digest");
+--
+2.38.1
+
diff --git a/openssl.spec b/openssl.spec
index 3110d38..287ab80 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.5
-Release: 6%{?dist}
+Release: 7%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -186,6 +186,12 @@ Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
Patch79: 0079-Fix-AES-GCM-on-Power-8-CPUs.patch
#CVE-2022-3602
Patch80: 0080-CVE-2022-3602.patch
+#Provider interface fixes
+Patch81: 0081-EVP_PKEY_eq-regain-compatibility-with-the-3.0.0-FIPS.patch
+Patch82: 0082-Propagate-selection-all-the-way-on-key-export.patch
+Patch83: 0083-Update-documentation-for-keymgmt-export-utils.patch
+Patch84: 0084-Add-test-for-EVP_PKEY_eq.patch
+Patch85: 0085-Drop-explicit-check-for-engines-in-opt_legacy_okay.patch
License: ASL 2.0
URL: http://www.openssl.org/
@@ -523,6 +529,9 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
+* Wed Nov 16 2022 Simo sorce <simo@redhat.com> - 1:3.0.5-7
+- Backport patches to fix external providers compatibility issues
+
* Tue Nov 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.5-6
- CVE-2022-3602: X.509 Email Address Buffer Overflow
- CVE-2022-3786: X.509 Email Address Buffer Overflow
reply other threads:[~2026-06-09 12:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100910600.1.577968703288435285.rpms-openssl-e9a051193338@fedoraproject.org \
--to=simo@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox