diff --git a/.azure-pipelines/build-template.yml b/.azure-pipelines/build-template.yml index fc69947..6946c06 100644 --- a/.azure-pipelines/build-template.yml +++ b/.azure-pipelines/build-template.yml @@ -62,6 +62,9 @@ jobs: sudo pip3 install --break-system-packages blurb + # Install dget for download debian package source code + sudo apt-get install -y devscripts + mkdir -p $(Pipeline.Workspace)/target displayName: 'Install packages' - checkout: self @@ -96,10 +99,6 @@ jobs: echo 40-Modify-tests-with-unsupported-behavior.patch >> src/openssl.patch/series openssl engine -v | grep -i symcrypt openssl list --providers | grep -i symcrypt - pushd src/openssl - git clean -xdf - git checkout -- . - popd ARCH=${{ parameters.arch }} TARGET_PATH=target-test make openssl echo 0 | sudo tee /etc/fips/fips_enable diff --git a/.azure-pipelines/install-packages.sh b/.azure-pipelines/install-packages.sh index bf49d5d..cd5538d 100755 --- a/.azure-pipelines/install-packages.sh +++ b/.azure-pipelines/install-packages.sh @@ -12,6 +12,9 @@ sudo apt-get install -y dh-exec dh-runit libaudit-dev libedit-dev libfido2-dev l sudo apt-get install -y libwrap0-dev pkg-config sudo apt-get install -y libpam-dev libselinux1-dev libsystemd-dev libwrap0-dev +# Install dget for download debian package source code +sudo apt-get install -y devscripts + # Build Golang sudo apt-get install -y golang diff --git a/.azure-pipelines/test-multiarch.sh b/.azure-pipelines/test-multiarch.sh index 657a102..33690cd 100755 --- a/.azure-pipelines/test-multiarch.sh +++ b/.azure-pipelines/test-multiarch.sh @@ -23,12 +23,6 @@ sudo mkdir -p /etc/fips echo 1 | sudo tee /etc/fips/fips_enable openssl engine -v | grep -i symcrypt -# Cleanup OpenSSL source folder -pushd src/openssl -git clean -xdf -git checkout -- . -popd - # Build the OpenSSL again with SymCrypt enabled rm -f src/openssl/test/recipes/30-test_afalg.t echo 40-Modify-tests-with-unsupported-behavior.patch >> src/openssl.patch/series diff --git a/.gitmodules b/.gitmodules index a081633..5e1a534 100644 --- a/.gitmodules +++ b/.gitmodules @@ -16,12 +16,6 @@ [submodule "src/golang-debian"] path = src/golang-debian url = https://salsa.debian.org/go-team/compiler/golang.git -[submodule "src/openssl"] - path = src/openssl - url = https://salsa.debian.org/debian/openssl -[submodule "src/krb5"] - path = src/krb5 - url = https://salsa.debian.org/debian/krb5 [submodule "src/golang-fips"] path = src/golang-fips url = https://github.com/golang-fips/go diff --git a/rules/krb5.mk b/rules/krb5.mk index 05dfced..d577e3b 100644 --- a/rules/krb5.mk +++ b/rules/krb5.mk @@ -1,9 +1,21 @@ # krb5 -KRB5_VERSION = 1.20.1-2+deb12u1 -KRB5_VERSION_FIPS = $(KRB5_VERSION)+fips +KRB5_VERSION_MAIN = 1.20.1 +KRB5_VERSION_FULL = $(KRB5_VERSION_MAIN)-2+deb12u2 +KRB5_VERSION_FIPS = $(KRB5_VERSION_FULL)+fips KRB5 = libk5crypto3_$(KRB5_VERSION_FIPS)_$(ARCH).deb $(KRB5)_SRC_PATH = $(SRC_PATH)/krb5 +KERB5_DST_PATH = krb5-$(KRB5_VERSION_MAIN) + +# Download krb5 code +$(KRB5)_PRE_SCRIPT = rm -rf $(KERB5_DST_PATH); \ + rm -rf $(SRC_PATH)/krb5; \ + dget -u http://deb.debian.org/debian/pool/main/k/krb5/krb5_$(KRB5_VERSION_FULL).dsc; \ + mv $(KERB5_DST_PATH) $(SRC_PATH)/krb5; \ + pushd $(SRC_PATH)/krb5; \ + quilt pop -a -f; \ + rm -rf .pc; \ + popd; MAIN_TARGETS += $(KRB5) -$(KRB5)_DERIVED_DEBS = +$(KRB5)_DERIVED_DEBS = \ No newline at end of file diff --git a/rules/openssl.mk b/rules/openssl.mk index 289b1d8..d978a8c 100644 --- a/rules/openssl.mk +++ b/rules/openssl.mk @@ -1,9 +1,21 @@ # openssl -OPENSSL_VERSION = 3.0.11-1~deb12u2 -OPENSSL_VERSION_FIPS = $(OPENSSL_VERSION)+fips +OPENSSL_VERSION_MAIN = 3.0.15 +OPENSSL_VERSION_FULL = $(OPENSSL_VERSION_MAIN)-1~deb12u1 +OPENSSL_VERSION_FIPS = $(OPENSSL_VERSION_FULL)+fips OPENSSL = openssl_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb $(OPENSSL)_SRC_PATH = $(SRC_PATH)/openssl +OPENSSL_DST_PATH = openssl-$(OPENSSL_VERSION_MAIN) + +# Download openssl code +$(OPENSSL)_PRE_SCRIPT = rm -rf $(OPENSSL_DST_PATH); \ + rm -rf $(SRC_PATH)/openssl; \ + dget -u http://deb.debian.org/debian/pool/main/o/openssl/openssl_$(OPENSSL_VERSION_FULL).dsc; \ + mv $(OPENSSL_DST_PATH) $(SRC_PATH)/openssl; \ + pushd $(SRC_PATH)/openssl; \ + quilt pop -a -f; \ + rm -rf .pc; \ + popd; MAIN_TARGETS += $(OPENSSL) $(OPENSSL)_DERIVED_DEBS = libssl3_$(OPENSSL_VERSION_FIPS)_$(ARCH).deb diff --git a/src/krb5 b/src/krb5 deleted file mode 160000 index 029c5a9..0000000 --- a/src/krb5 +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 029c5a9be085fa52bca8805936b0738f00cfea42 diff --git a/src/openssl b/src/openssl deleted file mode 160000 index 5790e8c..0000000 --- a/src/openssl +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 5790e8c060c75afd07082067e752df8d291ca116 diff --git a/src/openssl.patch/40-Modify-tests-with-unsupported-behavior.patch b/src/openssl.patch/40-Modify-tests-with-unsupported-behavior.patch index 5de1079..fa5b1bc 100644 --- a/src/openssl.patch/40-Modify-tests-with-unsupported-behavior.patch +++ b/src/openssl.patch/40-Modify-tests-with-unsupported-behavior.patch @@ -103,10 +103,10 @@ diff --git a/test/evp_pkey_provided_test.c b/test/evp_pkey_provided_test.c index 1aabfef893b08..fb817f155f68f 100644 --- a/test/evp_pkey_provided_test.c +++ b/test/evp_pkey_provided_test.c -@@ -346,102 +346,102 @@ static int test_print_key_using_encoder_public(const char *alg, +@@ -346,105 +346,105 @@ static int test_print_key_using_encoder_public(const char *alg, #define DQ 6 #define QINV 7 - + -static int test_fromdata_rsa(void) -{ - int ret = 0, i; @@ -150,7 +150,7 @@ index 1aabfef893b08..fb817f155f68f 100644 - fromdata_params), 1)) - goto err; - -- while (dup_pk == NULL) { +- for (;;) { - ret = 0; - if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 32) - || !TEST_int_eq(EVP_PKEY_get_security_bits(pk), 8) @@ -178,7 +178,10 @@ index 1aabfef893b08..fb817f155f68f 100644 - ret = test_print_key_using_pem("RSA", pk) - && test_print_key_using_encoder("RSA", pk); - -- if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) +- if (!ret || dup_pk != NULL) +- break; +- +- if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) - goto err; - ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); - EVP_PKEY_free(pk); @@ -203,102 +206,105 @@ index 1aabfef893b08..fb817f155f68f 100644 - - return ret; -} -+// static int test_fromdata_rsa(void) -+// { -+// int ret = 0, i; -+// EVP_PKEY_CTX *ctx = NULL, *key_ctx = NULL; -+// EVP_PKEY *pk = NULL, *copy_pk = NULL, *dup_pk = NULL; -+// /* -+// * 32-bit RSA key, extracted from this command, -+// * executed with OpenSSL 1.0.2: -+// * -+// * openssl genrsa 32 | openssl rsa -text -+// */ -+// static unsigned long key_numbers[] = { -+// 0xbc747fc5, /* N */ -+// 0x10001, /* E */ -+// 0x7b133399, /* D */ -+// 0xe963, /* P */ -+// 0xceb7, /* Q */ -+// 0x8599, /* DP */ -+// 0xbd87, /* DQ */ -+// 0xcc3b, /* QINV */ -+// }; -+// OSSL_PARAM fromdata_params[] = { -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_N, &key_numbers[N]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_E, &key_numbers[E]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_D, &key_numbers[D]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_FACTOR1, &key_numbers[P]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_FACTOR2, &key_numbers[Q]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_EXPONENT1, &key_numbers[DP]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_EXPONENT2, &key_numbers[DQ]), -+// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &key_numbers[QINV]), -+// OSSL_PARAM_END -+// }; -+// BIGNUM *bn = BN_new(); -+// BIGNUM *bn_from = BN_new(); -+ -+// if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL))) -+// goto err; -+ -+// if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) -+// || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, -+// fromdata_params), 1)) -+// goto err; -+ -+// while (dup_pk == NULL) { -+// ret = 0; -+// if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 32) -+// || !TEST_int_eq(EVP_PKEY_get_security_bits(pk), 8) -+// || !TEST_int_eq(EVP_PKEY_get_size(pk), 4) -+// || !TEST_false(EVP_PKEY_missing_parameters(pk))) -+// goto err; -+ -+// EVP_PKEY_CTX_free(key_ctx); -+// if (!TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pk, ""))) -+// goto err; -+ -+// if (!TEST_int_gt(EVP_PKEY_check(key_ctx), 0) -+// || !TEST_int_gt(EVP_PKEY_public_check(key_ctx), 0) -+// || !TEST_int_gt(EVP_PKEY_private_check(key_ctx), 0) -+// || !TEST_int_gt(EVP_PKEY_pairwise_check(key_ctx), 0)) -+// goto err; -+ -+// /* EVP_PKEY_copy_parameters() should fail for RSA */ -+// if (!TEST_ptr(copy_pk = EVP_PKEY_new()) -+// || !TEST_false(EVP_PKEY_copy_parameters(copy_pk, pk))) -+// goto err; -+// EVP_PKEY_free(copy_pk); -+// copy_pk = NULL; -+ -+// ret = test_print_key_using_pem("RSA", pk) -+// && test_print_key_using_encoder("RSA", pk); -+ -+// if (!ret || !TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) -+// goto err; -+// ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); -+// EVP_PKEY_free(pk); -+// pk = dup_pk; -+// if (!ret) -+// goto err; -+// } -+// err: -+// /* for better diagnostics always compare key params */ -+// for (i = 0; fromdata_params[i].key != NULL; ++i) { -+// if (!TEST_true(BN_set_word(bn_from, key_numbers[i])) -+// || !TEST_true(EVP_PKEY_get_bn_param(pk, fromdata_params[i].key, &bn)) -+// || !TEST_BN_eq(bn, bn_from)) -+// ret = 0; -+// } -+// BN_free(bn_from); -+// BN_free(bn); -+// EVP_PKEY_free(pk); -+// EVP_PKEY_free(copy_pk); -+// EVP_PKEY_CTX_free(key_ctx); -+// EVP_PKEY_CTX_free(ctx); -+ -+// return ret; -+// } ++//static int test_fromdata_rsa(void) ++//{ ++// int ret = 0, i; ++// EVP_PKEY_CTX *ctx = NULL, *key_ctx = NULL; ++// EVP_PKEY *pk = NULL, *copy_pk = NULL, *dup_pk = NULL; ++// /* ++// * 32-bit RSA key, extracted from this command, ++// * executed with OpenSSL 1.0.2: ++// * ++// * openssl genrsa 32 | openssl rsa -text ++// */ ++// static unsigned long key_numbers[] = { ++// 0xbc747fc5, /* N */ ++// 0x10001, /* E */ ++// 0x7b133399, /* D */ ++// 0xe963, /* P */ ++// 0xceb7, /* Q */ ++// 0x8599, /* DP */ ++// 0xbd87, /* DQ */ ++// 0xcc3b, /* QINV */ ++// }; ++// OSSL_PARAM fromdata_params[] = { ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_N, &key_numbers[N]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_E, &key_numbers[E]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_D, &key_numbers[D]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_FACTOR1, &key_numbers[P]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_FACTOR2, &key_numbers[Q]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_EXPONENT1, &key_numbers[DP]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_EXPONENT2, &key_numbers[DQ]), ++// OSSL_PARAM_ulong(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &key_numbers[QINV]), ++// OSSL_PARAM_END ++// }; ++// BIGNUM *bn = BN_new(); ++// BIGNUM *bn_from = BN_new(); ++// ++// if (!TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL))) ++// goto err; ++// ++// if (!TEST_int_eq(EVP_PKEY_fromdata_init(ctx), 1) ++// || !TEST_int_eq(EVP_PKEY_fromdata(ctx, &pk, EVP_PKEY_KEYPAIR, ++// fromdata_params), 1)) ++// goto err; ++// ++// for (;;) { ++// ret = 0; ++// if (!TEST_int_eq(EVP_PKEY_get_bits(pk), 32) ++// || !TEST_int_eq(EVP_PKEY_get_security_bits(pk), 8) ++// || !TEST_int_eq(EVP_PKEY_get_size(pk), 4) ++// || !TEST_false(EVP_PKEY_missing_parameters(pk))) ++// goto err; ++// ++// EVP_PKEY_CTX_free(key_ctx); ++// if (!TEST_ptr(key_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pk, ""))) ++// goto err; ++// ++// if (!TEST_int_gt(EVP_PKEY_check(key_ctx), 0) ++// || !TEST_int_gt(EVP_PKEY_public_check(key_ctx), 0) ++// || !TEST_int_gt(EVP_PKEY_private_check(key_ctx), 0) ++// || !TEST_int_gt(EVP_PKEY_pairwise_check(key_ctx), 0)) ++// goto err; ++// ++// /* EVP_PKEY_copy_parameters() should fail for RSA */ ++// if (!TEST_ptr(copy_pk = EVP_PKEY_new()) ++// || !TEST_false(EVP_PKEY_copy_parameters(copy_pk, pk))) ++// goto err; ++// EVP_PKEY_free(copy_pk); ++// copy_pk = NULL; ++// ++// ret = test_print_key_using_pem("RSA", pk) ++// && test_print_key_using_encoder("RSA", pk); ++// ++// if (!ret || dup_pk != NULL) ++// break; ++// ++// if (!TEST_ptr(dup_pk = EVP_PKEY_dup(pk))) ++// goto err; ++// ret = ret && TEST_int_eq(EVP_PKEY_eq(pk, dup_pk), 1); ++// EVP_PKEY_free(pk); ++// pk = dup_pk; ++// if (!ret) ++// goto err; ++// } ++// err: ++// /* for better diagnostics always compare key params */ ++// for (i = 0; fromdata_params[i].key != NULL; ++i) { ++// if (!TEST_true(BN_set_word(bn_from, key_numbers[i])) ++// || !TEST_true(EVP_PKEY_get_bn_param(pk, fromdata_params[i].key, &bn)) ++// || !TEST_BN_eq(bn, bn_from)) ++// ret = 0; ++// } ++// BN_free(bn_from); ++// BN_free(bn); ++// EVP_PKEY_free(pk); ++// EVP_PKEY_free(copy_pk); ++// EVP_PKEY_CTX_free(key_ctx); ++// EVP_PKEY_CTX_free(ctx); ++// ++// return ret; ++//} static int test_evp_pkey_get_bn_param_large(void) {