forked from rpms/openssl
Change explicit FIPS indicator for RSA decryption to unapproved
Resolves: rhbz#2179379 Signed-off-by: Clemens Lang <cllang@redhat.com>
This commit is contained in:
parent
1bd2a0cee3
commit
0dea6db970
@ -21,9 +21,9 @@ Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||
---
|
||||
include/openssl/core_names.h | 2 ++
|
||||
include/openssl/evp.h | 4 +++
|
||||
.../implementations/asymciphers/rsa_enc.c | 31 +++++++++++++++++++
|
||||
providers/implementations/kem/rsa_kem.c | 30 +++++++++++++++++-
|
||||
4 files changed, 66 insertions(+), 1 deletion(-)
|
||||
.../implementations/asymciphers/rsa_enc.c | 24 +++++++++++++++
|
||||
providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++-
|
||||
4 files changed, 59 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
|
||||
index 832502a034..e15d208421 100644
|
||||
@ -61,10 +61,10 @@ index ec2ba46fbd..3803b03422 100644
|
||||
const char *properties);
|
||||
int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt);
|
||||
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
|
||||
index 568452ec56..0a9adb4056 100644
|
||||
index 568452ec56..2e7ea632d7 100644
|
||||
--- a/providers/implementations/asymciphers/rsa_enc.c
|
||||
+++ b/providers/implementations/asymciphers/rsa_enc.c
|
||||
@@ -399,6 +399,34 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
@@ -399,6 +399,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
|
||||
if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
|
||||
return 0;
|
||||
|
||||
@ -73,23 +73,16 @@ index 568452ec56..0a9adb4056 100644
|
||||
+ if (p != NULL) {
|
||||
+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED;
|
||||
+
|
||||
+ if (prsactx->operation == EVP_PKEY_OP_ENCRYPT) {
|
||||
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted
|
||||
+ * third party (section 6.4.2.3.1) for the KTS-OAEP key transport
|
||||
+ * scheme, but explicit key confirmation is not implemented here
|
||||
+ * and cannot be implemented without protocol changes, and the FIPS
|
||||
+ * provider does not implement trusted third party validation,
|
||||
+ * since it relies on its callers to do that. We must thus mark
|
||||
+ * RSA-OAEP as unapproved until we have received clarification from
|
||||
+ * NIST on how library modules such as OpenSSL should implement TTP
|
||||
+ * validation.
|
||||
+ *
|
||||
+ * This does not affect decryption, because it is approved as
|
||||
+ * a component according to the FIPS 140-3 IG, section 2.4.G.
|
||||
+ */
|
||||
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+ }
|
||||
+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key
|
||||
+ * confirmation (section 6.4.2.3.2), or assurance from a trusted third
|
||||
+ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but
|
||||
+ * explicit key confirmation is not implemented here and cannot be
|
||||
+ * implemented without protocol changes, and the FIPS provider does not
|
||||
+ * implement trusted third party validation, since it relies on its
|
||||
+ * callers to do that. We must thus mark RSA-OAEP as unapproved until
|
||||
+ * we have received clarification from NIST on how library modules such
|
||||
+ * as OpenSSL should implement TTP validation. */
|
||||
+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED;
|
||||
+
|
||||
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
||||
+ return 0;
|
||||
|
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.7
|
||||
Release: 11%{?dist}
|
||||
Release: 12%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -507,6 +507,10 @@ install -m644 %{SOURCE9} \
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Fri Mar 24 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-12
|
||||
- Change explicit FIPS indicator for RSA decryption to unapproved
|
||||
Resolves: rhbz#2179379
|
||||
|
||||
* Mon Mar 20 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-11
|
||||
- Add missing reference to patchfile to add explicit FIPS indicator to RSA
|
||||
encryption and RSASVE and fix the gettable parameter list for the RSA
|
||||
|
Loading…
Reference in New Issue
Block a user