Merge pull request #18 from ciq-rocky-fips/collect_rpms

Collect rpms

.github/workflows/fipsmodule.yml

@@ -38,22 +38,25 @@ jobs:
           ls -l ./RESULTS
 
           # Extract the FIPS module
-          mkdir RESULTS/{tmp,fips_module}
-          cd RESULTS/tmp
-          if [ -z "$DEBUG" ]; then
-              echo "Extracting FIPS module"
-              rpm2cpio ../openssl-libs-3*ciqfips*.x86_64.rpm | cpio -idmv ./usr/lib64/\*/fips.so
-          else
-              mkdir -p usr/lib64/ossl-modules
-              echo Creating fake fips module
-              touch usr/lib64/ossl-modules/fips.so
-          fi
-          mv ./usr/lib64/ossl-modules/fips.so ../fips_module/fips.so.x86_64
-          cd ..
+          #mkdir RESULTS/{tmp,fips_module}
+          #cd RESULTS/tmp
+          #if [ -z "$DEBUG" ]; then
+          #    echo "Extracting FIPS module"
+          #    rpm2cpio ../openssl-libs-3*ciqfips*.x86_64.rpm | cpio -idmv ./usr/lib64/\*/fips.so
+          #else
+          #    mkdir -p usr/lib64/ossl-modules
+          #    echo Creating fake fips module
+          #    touch usr/lib64/ossl-modules/fips.so
+          #fi
+          #mv ./usr/lib64/ossl-modules/fips.so ../fips_module/fips.so.x86_64
+          cd RESULTS
           RPMVERSION=$(ls ./openssl-libs-3*ciqfips*.x86_64.rpm | sed -e 's/.*openssl-libs-\(3.*\)\.x86_64\.rpm/\1/')
-          echo "Creating fips module tarball"
-          tar -czf fips_module-${RPMVERSION}.tar.gz fips_module
-          sha256sum fips_module-${RPMVERSION}.tar.gz > fips_module-${RPMVERSION}.tar.gz.sha256
+          echo "Creating fips provider tarball"
+          #tar -czf fips_module-${RPMVERSION}.tar.gz fips_module
+          #sha256sum fips_module-${RPMVERSION}.tar.gz > fips_module-${RPMVERSION}.tar.gz.sha256
+
+          tar -czf openssl-fips-provider-${RPMVERSION}.tar.gz *.rpm
+          sha256sum openssl-fips-provider-${RPMVERSION}.tar.gz > openssl-fips-provider-${RPMVERSION}.tar.gz.sha256
 
       - uses: actions/upload-artifact@v4
         with:
@@ -63,7 +66,7 @@ jobs:
             RESULTS/*.rpm
       - uses: actions/upload-artifact@v4
         with:
-          name: fips_module_tarball
+          name: fips_tarball
           path: |
             RESULTS/*.tar.gz
             RESULTS/*.tar.gz.sha256

SOURCES/rocky_fips_provider-2.patch → SOURCES/0138-rocky_fips_provider-2.patch

@@ -97,3 +97,4 @@ index dd508ae7..eb68b308 100644
      if (indicator == NULL) {
          fprintf(stderr, "No indicator for operation, probably using implicit"
                          " indicators.\n");
+

SOURCES/0139-Add-KAT-and-enable-support-for-ED25519-and-ED448-in-.patch

@@ -0,0 +1,320 @@
+From 806556e99d70c8f34c18cd54c23c837cfdad68b9 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <[email protected]>
+Date: Thu, 31 Oct 2024 15:16:41 -0700
+Subject: [PATCH 1/3] Add KAT and enable support for ED25519 and ED448 in the
+ FIPS provider.
+
+Still need a PCT, but this works and is valgrind clean.
+
+Signed-off-by: Jeremy Allison <[email protected]>
+---
+ include/openssl/self_test.h       |   2 +
+ providers/fips/fipsprov.c         |   9 +--
+ providers/fips/self_test_data.inc |  93 ++++++++++++++++++++++
+ providers/fips/self_test_kats.c   | 128 +++++++++++++++++++++++++++++-
+ 4 files changed, 226 insertions(+), 6 deletions(-)
+
+diff --git a/include/openssl/self_test.h b/include/openssl/self_test.h
+index ee4949e..7ff95eb 100644
+--- a/include/openssl/self_test.h
++++ b/include/openssl/self_test.h
+@@ -72,6 +72,8 @@ extern "C" {
+ # define OSSL_SELF_TEST_DESC_KDF_TLS13_EXTRACT  "TLS13_KDF_EXTRACT"
+ # define OSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND   "TLS13_KDF_EXPAND"
+ # define OSSL_SELF_TEST_DESC_RNG            "RNG"
++# define OSSL_SELF_TEST_DESC_SIGN_ED25519   "ED25519"
++# define OSSL_SELF_TEST_DESC_SIGN_ED448     "ED448"
+
+ void OSSL_SELF_TEST_set_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK *cb,
+                                  void *cbarg);
+diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
+index dd80c77..5131380 100644
+--- a/providers/fips/fipsprov.c
++++ b/providers/fips/fipsprov.c
+@@ -411,9 +411,8 @@ static const OSSL_ALGORITHM fips_signature[] = {
+ #endif
+     { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
+ #ifndef OPENSSL_NO_EC
+-    /* We don't certify Edwards curves in our FIPS provider */
+-    /* { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
+-    { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, */
++    { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
++    { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions },
+     { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
+ #endif
+     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
+@@ -520,11 +519,11 @@ static const OSSL_ALGORITHM fips_keymgmt[] = {
+     /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
+       PROV_DESCS_X25519 },
+     { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
+-      PROV_DESCS_X448 },
++      PROV_DESCS_X448 }, */
+     { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions,
+       PROV_DESCS_ED25519 },
+     { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions,
+-      PROV_DESCS_ED448 }, */
++      PROV_DESCS_ED448 },
+ #endif
+     { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
+       PROV_DESCS_TLS1_PRF_SIGN },
+diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc
+index cc10898..79fec4a 100644
+--- a/providers/fips/self_test_data.inc
++++ b/providers/fips/self_test_data.inc
+@@ -1569,6 +1569,85 @@ static const unsigned char ec256v1_kat_sig[] = {
+ 0x82, 0x66, 0x7a, 0x68, 0xcb, 0x1e, 0x3b, 0x12, 0x71, 0x4d, 0x56, 0xb5, 0xb7, 0xdd, 0xca, 0x2b,
+ 0x18, 0xa3, 0xa7, 0x08, 0x0d, 0xfa, 0x9c, 0x66
+ };
++
++/* EDDSA - ED25519 and ED448. */
++static const uint8_t ed25519_secret_key[] = {
++0xf5, 0xe5, 0x76, 0x7c, 0xf1, 0x53, 0x31, 0x95,
++0x17, 0x63, 0x0f, 0x22, 0x68, 0x76, 0xb8, 0x6c,
++0x81, 0x60, 0xcc, 0x58, 0x3b, 0xc0, 0x13, 0x74,
++0x4c, 0x6b, 0xf2, 0x55, 0xf5, 0xcc, 0x0e, 0xe5
++};
++
++static const uint8_t ed25519_public_key[] = {
++0x27, 0x81, 0x17, 0xfc, 0x14, 0x4c, 0x72, 0x34,
++0x0f, 0x67, 0xd0, 0xf2, 0x31, 0x6e, 0x83, 0x86,
++0xce, 0xff, 0xbf, 0x2b, 0x24, 0x28, 0xc9, 0xc5,
++0x1f, 0xef, 0x7c, 0x59, 0x7f, 0x1d, 0x42, 0x6e
++};
++
++static const uint8_t ed25519_sig[] = {
++0xb4, 0x17, 0x80, 0xea, 0x29, 0xc9, 0x3c, 0x19,
++0x52, 0x39, 0xd9, 0x02, 0x4c, 0xd8, 0x80, 0xc0,
++0x4e, 0xbe, 0xc3, 0x2a, 0xc8, 0x1a, 0x39, 0x39,
++0xe7, 0x51, 0xef, 0x80, 0x7a, 0x2c, 0x0a, 0x90,
++0xe6, 0x54, 0xf4, 0x6d, 0xd3, 0xab, 0x4f, 0xdb,
++0xdf, 0x6d, 0xca, 0xbe, 0x75, 0x63, 0xf8, 0x35,
++0xc0, 0xe9, 0x41, 0xe5, 0xcc, 0xca, 0x53, 0xf2,
++0x04, 0x86, 0x07, 0xe2, 0x26, 0xb3, 0xd4, 0x05
++};
++
++static const ST_KAT_PARAM key_ed25519[] = {
++    ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PRIV_KEY, ed25519_secret_key),
++    ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ed25519_public_key),
++    ST_KAT_PARAM_END()
++};
++
++static const uint8_t ed448_secret_key[] = {
++0x2e, 0xc5, 0xfe, 0x3c, 0x17, 0x04, 0x5a, 0xbd,
++0xb1, 0x36, 0xa5, 0xe6, 0xa9, 0x13, 0xe3, 0x2a,
++0xb7, 0x5a, 0xe6, 0x8b, 0x53, 0xd2, 0xfc, 0x14,
++0x9b, 0x77, 0xe5, 0x04, 0x13, 0x2d, 0x37, 0x56,
++0x9b, 0x7e, 0x76, 0x6b, 0xa7, 0x4a, 0x19, 0xbd,
++0x61, 0x62, 0x34, 0x3a, 0x21, 0xc8, 0x59, 0x0a,
++0xa9, 0xce, 0xbc, 0xa9, 0x01, 0x4c, 0x63, 0x6d,
++0xf5
++};
++
++static const uint8_t ed448_public_key[] = {
++0x79, 0x75, 0x6f, 0x01, 0x4d, 0xcf, 0xe2, 0x07,
++0x9f, 0x5d, 0xd9, 0xe7, 0x18, 0xbe, 0x41, 0x71,
++0xe2, 0xef, 0x24, 0x86, 0xa0, 0x8f, 0x25, 0x18,
++0x6f, 0x6b, 0xff, 0x43, 0xa9, 0x93, 0x6b, 0x9b,
++0xfe, 0x12, 0x40, 0x2b, 0x08, 0xae, 0x65, 0x79,
++0x8a, 0x3d, 0x81, 0xe2, 0x2e, 0x9e, 0xc8, 0x0e,
++0x76, 0x90, 0x86, 0x2e, 0xf3, 0xd4, 0xed, 0x3a,
++0x00
++};
++
++static const uint8_t ed448_sig[] = {
++0x5c, 0xc7, 0x7d, 0x1e, 0x41, 0x75, 0xc2, 0x38,
++0x5c, 0x76, 0xf2, 0x0f, 0xfe, 0x6e, 0xec, 0xe8,
++0x91, 0x9b, 0x72, 0x9b, 0x8d, 0xad, 0xf8, 0x10,
++0x79, 0xee, 0x7e, 0x73, 0xb4, 0x0f, 0x7e, 0x4a,
++0x13, 0xdc, 0x6e, 0xdd, 0x01, 0x9a, 0x9b, 0xc3,
++0xd7, 0xd4, 0xf1, 0x6e, 0x34, 0x9c, 0x01, 0x0d,
++0xb4, 0xca, 0x2b, 0xb3, 0xd3, 0x46, 0x0c, 0x3f,
++0x80, 0x7d, 0x52, 0x6b, 0xdd, 0xd3, 0x8d, 0x54,
++0x66, 0xea, 0x48, 0xad, 0x11, 0xbb, 0x2d, 0xd5,
++0xab, 0xde, 0x81, 0x08, 0x18, 0x6d, 0x49, 0x64,
++0x04, 0x6c, 0xa3, 0x0e, 0xac, 0xd4, 0xc3, 0xbc,
++0xd3, 0x1c, 0x35, 0x19, 0x61, 0xf8, 0x46, 0xb9,
++0x8a, 0x81, 0xd0, 0x01, 0x86, 0x34, 0x17, 0xe8,
++0x65, 0x04, 0x5f, 0xf5, 0xf2, 0x53, 0xa4, 0xa3,
++0x0e, 0x00
++};
++
++static const ST_KAT_PARAM key_ed448[] = {
++    ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PRIV_KEY, ed448_secret_key),
++    ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ed448_public_key),
++    ST_KAT_PARAM_END()
++};
++
+ # ifndef OPENSSL_NO_EC2M
+ static const char ecd_bin_curve_name[] = "sect233r1";
+ static const unsigned char ecd_bin_priv[] = {
+@@ -1733,6 +1812,20 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = {
+         ITM(rsa_expected_sig)
+     },
+ #ifndef OPENSSL_NO_EC
++    {
++        OSSL_SELF_TEST_DESC_SIGN_ED25519,
++        "ED25519",
++        "SHA-256",
++        key_ed25519,
++        ITM(ed25519_sig)
++    },
++    {
++        OSSL_SELF_TEST_DESC_SIGN_ED448,
++        "ED448",
++        "SHA-256",
++        key_ed448,
++        ITM(ed448_sig)
++    },
+     {
+         OSSL_SELF_TEST_DESC_SIGN_ECDSA,
+         "EC",
+diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c
+index 169460a..6cca054 100644
+--- a/providers/fips/self_test_kats.c
++++ b/providers/fips/self_test_kats.c
+@@ -542,6 +542,126 @@ err:
+     return ret;
+ }
+
++static int self_test_eddsa_sign(const ST_KAT_SIGN *t,
++                         OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
++{
++    int ret = 0;
++    const char *message = "Hello World!";
++    unsigned char test_signature[256];
++    size_t sig_len = sizeof(test_signature);
++    EVP_PKEY *pkey = NULL;
++    EVP_MD_CTX *md_ctx = NULL;
++    EVP_PKEY_CTX *kctx = NULL;
++    EVP_PKEY_CTX *sctx = NULL;
++    const char *typ = OSSL_SELF_TEST_TYPE_KAT_SIGNATURE;
++    OSSL_PARAM params[3] = { 0 };
++
++    OSSL_SELF_TEST_onbegin(st, typ, t->desc);
++
++    params[0] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PRIV_KEY,
++                                                  (void *)t->key[0].data,
++                                                  t->key[0].data_len);
++    params[1] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
++                                                  (void *)t->key[1].data,
++                                                  t->key[1].data_len);
++    params[2] = OSSL_PARAM_construct_end();
++
++    md_ctx = EVP_MD_CTX_new();
++    if (md_ctx == NULL) {
++        goto err;
++    }
++
++    kctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, "");
++    if (kctx == NULL) {
++        goto err;
++    }
++
++    if (!EVP_PKEY_fromdata_init(kctx)) {
++        goto err;
++    }
++
++    if (!EVP_PKEY_fromdata(kctx,
++                           &pkey,
++                           EVP_PKEY_KEYPAIR,
++                           params)) {
++        goto err;
++    }
++
++    EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
++
++    if (EVP_DigestSignInit(md_ctx,
++                           &sctx,
++                           NULL,
++                           NULL,
++                           pkey) != 1) {
++        goto err;
++    }
++
++    if (EVP_DigestSign(md_ctx,
++                       test_signature,
++                       &sig_len,
++                       (uint8_t *)message,
++                       strlen(message)) != 1) {
++        goto err;
++    }
++
++    if (sig_len != t->sig_expected_len) {
++        goto err;
++    }
++
++    if (memcmp(test_signature, t->sig_expected, sig_len) != 0) {
++        goto err;
++    }
++
++    /* Now check verify. */
++    EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT);
++
++    if (EVP_DigestVerifyInit(md_ctx,
++                             &sctx,
++                             NULL,
++                             NULL,
++                             pkey) != 1) {
++        goto err;
++    }
++
++    if (EVP_DigestVerify(md_ctx,
++                         t->sig_expected,
++                         t->sig_expected_len,
++                         (uint8_t *)message,
++                         strlen(message)) != 1) {
++        goto err;
++    }
++
++    /* Check a bad signature doesn't match. */
++    test_signature[0] ^= 0x1;
++    if (EVP_DigestVerify(md_ctx,
++                         test_signature,
++                         sig_len,
++                         (uint8_t *)message,
++                         strlen(message)) == 1) {
++        goto err;
++    }
++
++    ret = 1;
++
++ err:
++
++    if (sctx != NULL) {
++        EVP_PKEY_CTX_free(sctx);
++    }
++    if (md_ctx != NULL) {
++        EVP_MD_CTX_free(md_ctx);
++    }
++    if (pkey != NULL) {
++        EVP_PKEY_free(pkey);
++    }
++    if (kctx != NULL) {
++        EVP_PKEY_CTX_free(kctx);
++    }
++    OSSL_SELF_TEST_onend(st, ret);
++    return ret;
++}
++
+ /*
+  * Test an encrypt or decrypt KAT..
+  *
+@@ -717,8 +837,14 @@ static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx)
+     ROCKY_FIPS_signature_st = 1;
+
+     for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) {
+-        if (!self_test_sign(&st_kat_sign_tests[i], st, libctx))
++        if ((strcmp("ED25519", st_kat_sign_tests[i].algorithm)==0) ||
++            (strcmp("ED448", st_kat_sign_tests[i].algorithm)==0)) {
++            if (!self_test_eddsa_sign(&st_kat_sign_tests[i], st, libctx)) {
++                ret = 0;
++            }
++        } else if (!self_test_sign(&st_kat_sign_tests[i], st, libctx)) {
+             ret = 0;
++        }
+     }
+     ROCKY_FIPS_signature_st = 0;
+     return ret;
+-- 
+2.43.5
+