forked from rpms/openssl
import openssl-3.0.1-5.el9
This commit is contained in:
parent
9535c0d629
commit
47cc85c5fc
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/openssl-3.0.0-hobbled.tar.xz
|
SOURCES/openssl-3.0.1-hobbled.tar.xz
|
||||||
|
@ -1 +1 @@
|
|||||||
68bab87c3606ad903a4b74e2cd79bf3bb30fd6b3 SOURCES/openssl-3.0.0-hobbled.tar.xz
|
1170b5119f0e591f6a2515d099abd06d0184f77c SOURCES/openssl-3.0.1-hobbled.tar.xz
|
||||||
|
@ -216,14 +216,6 @@ index b1d3f7919e..f7cc7fed48 100644
|
|||||||
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
||||||
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
||||||
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
||||||
@@ -1622,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
|
||||||
|
|
||||||
if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
|
|
||||||
sk_SSL_CIPHER_free(cipherstack);
|
|
||||||
+ OPENSSL_free(co_list);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
*cipher_list = cipherstack;
|
*cipher_list = cipherstack;
|
||||||
|
|
||||||
|
@ -56,12 +56,12 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1
|
|||||||
return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)
|
return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)
|
||||||
&& context_init(&default_context_int);
|
&& context_init(&default_context_int);
|
||||||
}
|
}
|
||||||
diff -up openssl-3.0.0/include/internal/provider.h.embed-fips openssl-3.0.0/include/internal/provider.h
|
diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h
|
||||||
--- openssl-3.0.0/include/internal/provider.h.embed-fips 2021-11-12 12:18:36.215333452 +0100
|
--- openssl-3.0.1/include/internal/provider.h.embed-fips 2022-01-11 13:13:08.323238760 +0100
|
||||||
+++ openssl-3.0.0/include/internal/provider.h 2021-11-12 12:22:41.298409269 +0100
|
+++ openssl-3.0.1/include/internal/provider.h 2022-01-11 13:13:43.522558909 +0100
|
||||||
@@ -109,6 +109,9 @@ int ossl_provider_init_as_child(OSSL_LIB
|
@@ -110,6 +110,9 @@ int ossl_provider_init_as_child(OSSL_LIB
|
||||||
const OSSL_CORE_HANDLE *handle,
|
|
||||||
const OSSL_DISPATCH *in);
|
const OSSL_DISPATCH *in);
|
||||||
|
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
|
||||||
|
|
||||||
+/* FIPS flag access */
|
+/* FIPS flag access */
|
||||||
+int ossl_get_kernel_fips_flag(void);
|
+int ossl_get_kernel_fips_flag(void);
|
||||||
|
@ -1,18 +0,0 @@
|
|||||||
diff --git a/providers/implementations/rands/seed_src.c b/providers/implementations/rands/seed_src.c
|
|
||||||
index 173c99ce1732..7a4b780bb469 100644
|
|
||||||
--- a/providers/implementations/rands/seed_src.c
|
|
||||||
+++ b/providers/implementations/rands/seed_src.c
|
|
||||||
@@ -201,10 +201,11 @@ static size_t seed_get_seed(void *vseed, unsigned char **pout,
|
|
||||||
ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
- *pout = p;
|
|
||||||
if (seed_src_generate(vseed, p, bytes_needed, 0, prediction_resistance,
|
|
||||||
- adin, adin_len) != 0)
|
|
||||||
+ adin, adin_len) != 0) {
|
|
||||||
+ *pout = p;
|
|
||||||
return bytes_needed;
|
|
||||||
+ }
|
|
||||||
OPENSSL_secure_clear_free(p, bytes_needed);
|
|
||||||
return 0;
|
|
||||||
}
|
|
@ -1,139 +1,145 @@
|
|||||||
diff -up openssl-3.0.0/crypto/provider_conf.c.fips-force openssl-3.0.0/crypto/provider_conf.c
|
#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite
|
||||||
--- openssl-3.0.0/crypto/provider_conf.c.fips-force 2021-11-12 14:21:01.878339467 +0100
|
#(partial) of the function provider_conf_load() under the 'if (activate) section.
|
||||||
+++ openssl-3.0.0/crypto/provider_conf.c 2021-11-12 16:13:19.301542866 +0100
|
#If there is any change to this section, after deleting it in provider_conf_load()
|
||||||
@@ -136,13 +136,73 @@ static int prov_already_activated(const
|
#ensure that you also add those changes to the provider_conf_activate() function.
|
||||||
|
#additionally please add this check for cnf explicitly as shown below.
|
||||||
|
#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;'
|
||||||
|
diff -up openssl-3.0.1/crypto/provider_conf.c.fips-FORCE openssl-3.0.1/crypto/provider_conf.c
|
||||||
|
--- openssl-3.0.1/crypto/provider_conf.c.fips-FORCE 2022-01-18 15:36:00.956141345 +0100
|
||||||
|
+++ openssl-3.0.1/crypto/provider_conf.c 2022-01-18 15:42:36.345172203 +0100
|
||||||
|
@@ -136,58 +136,18 @@ static int prov_already_activated(const
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
+static int provider_conf_activate(OSSL_LIB_CTX *libctx, PROVIDER_CONF_GLOBAL *pcgbl,
|
-static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
|
||||||
+ const char *name, const char *value, const char *path,
|
- const char *value, const CONF *cnf)
|
||||||
|
+static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name,
|
||||||
|
+ const char *value, const char *path,
|
||||||
+ int soft, const CONF *cnf)
|
+ int soft, const CONF *cnf)
|
||||||
+{
|
{
|
||||||
+ int ok = 0;
|
- int i;
|
||||||
|
- STACK_OF(CONF_VALUE) *ecmds;
|
||||||
|
- int soft = 0;
|
||||||
|
- OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
||||||
|
- const char *path = NULL;
|
||||||
|
- long activate = 0;
|
||||||
|
int ok = 0;
|
||||||
|
-
|
||||||
|
- name = skip_dot(name);
|
||||||
|
- OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
|
||||||
|
- /* Value is a section containing PROVIDER commands */
|
||||||
|
- ecmds = NCONF_get_section(cnf, value);
|
||||||
|
-
|
||||||
|
- if (!ecmds) {
|
||||||
|
- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
|
||||||
|
- "section=%s not found", value);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* Find the needed data first */
|
||||||
|
- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
|
||||||
|
- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
|
||||||
|
- const char *confname = skip_dot(ecmd->name);
|
||||||
|
- const char *confvalue = ecmd->value;
|
||||||
|
-
|
||||||
|
- OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
|
||||||
|
- confname, confvalue);
|
||||||
|
-
|
||||||
|
- /* First handle some special pseudo confs */
|
||||||
|
-
|
||||||
|
- /* Override provider name to use */
|
||||||
|
- if (strcmp(confname, "identity") == 0)
|
||||||
|
- name = confvalue;
|
||||||
|
- else if (strcmp(confname, "soft_load") == 0)
|
||||||
|
- soft = 1;
|
||||||
|
- /* Load a dynamic PROVIDER */
|
||||||
|
- else if (strcmp(confname, "module") == 0)
|
||||||
|
- path = confvalue;
|
||||||
|
- else if (strcmp(confname, "activate") == 0)
|
||||||
|
- activate = 1;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (activate) {
|
||||||
|
- PROVIDER_CONF_GLOBAL *pcgbl
|
||||||
|
- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
||||||
|
- &provider_conf_ossl_ctx_method);
|
||||||
+ OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
+ OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
||||||
+
|
+ PROVIDER_CONF_GLOBAL *pcgbl
|
||||||
+ if (!CRYPTO_THREAD_write_lock(pcgbl->lock)) {
|
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
||||||
|
+ &provider_conf_ossl_ctx_method);
|
||||||
|
|
||||||
|
if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) {
|
||||||
|
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
||||||
+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
||||||
+ return 0;
|
return 0;
|
||||||
+ }
|
}
|
||||||
+ if (!prov_already_activated(name, pcgbl->activated_providers)) {
|
if (!prov_already_activated(name, pcgbl->activated_providers)) {
|
||||||
+ /*
|
@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C
|
||||||
+ * There is an attempt to activate a provider, so we should disable
|
if (path != NULL)
|
||||||
+ * loading of fallbacks. Otherwise a misconfiguration could mean the
|
ossl_provider_set_module_path(prov, path);
|
||||||
+ * intended provider does not get loaded. Subsequent fetches could
|
|
||||||
+ * then fallback to the default provider - which may be the wrong
|
- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
|
||||||
+ * thing.
|
|
||||||
+ */
|
|
||||||
+ if (!ossl_provider_disable_fallback_loading(libctx)) {
|
|
||||||
+ CRYPTO_THREAD_unlock(pcgbl->lock);
|
|
||||||
+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ prov = ossl_provider_find(libctx, name, 1);
|
|
||||||
+ if (prov == NULL)
|
|
||||||
+ prov = ossl_provider_new(libctx, name, NULL, 1);
|
|
||||||
+ if (prov == NULL) {
|
|
||||||
+ CRYPTO_THREAD_unlock(pcgbl->lock);
|
|
||||||
+ if (soft)
|
|
||||||
+ ERR_clear_error();
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (path != NULL)
|
|
||||||
+ ossl_provider_set_module_path(prov, path);
|
|
||||||
+
|
|
||||||
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
|
+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;
|
||||||
+
|
|
||||||
+ if (ok) {
|
if (ok) {
|
||||||
+ if (!ossl_provider_activate(prov, 1, 0)) {
|
if (!ossl_provider_activate(prov, 1, 0)) {
|
||||||
+ ok = 0;
|
@@ -246,6 +206,55 @@ static int provider_conf_load(OSSL_LIB_C
|
||||||
+ } else if (!ossl_provider_add_to_store(prov, &actual, 0)) {
|
ossl_provider_free(prov);
|
||||||
+ ossl_provider_deactivate(prov);
|
}
|
||||||
+ ok = 0;
|
CRYPTO_THREAD_unlock(pcgbl->lock);
|
||||||
+ } else {
|
|
||||||
+ if (pcgbl->activated_providers == NULL)
|
|
||||||
+ pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null();
|
|
||||||
+ sk_OSSL_PROVIDER_push(pcgbl->activated_providers, actual);
|
|
||||||
+ ok = 1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if (!ok)
|
|
||||||
+ ossl_provider_free(prov);
|
|
||||||
+ }
|
|
||||||
+ CRYPTO_THREAD_unlock(pcgbl->lock);
|
|
||||||
+ return ok;
|
+ return ok;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
|
+static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
|
||||||
|
+ const char *value, const CONF *cnf)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+ STACK_OF(CONF_VALUE) *ecmds;
|
||||||
|
+ int soft = 0;
|
||||||
|
+ const char *path = NULL;
|
||||||
|
+ long activate = 0;
|
||||||
|
+ int ok = 0;
|
||||||
+
|
+
|
||||||
|
+ name = skip_dot(name);
|
||||||
|
+ OSSL_TRACE1(CONF, "Configuring provider %s\n", name);
|
||||||
|
+ /* Value is a section containing PROVIDER commands */
|
||||||
|
+ ecmds = NCONF_get_section(cnf, value);
|
||||||
+
|
+
|
||||||
static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name,
|
+ if (!ecmds) {
|
||||||
const char *value, const CONF *cnf)
|
+ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR,
|
||||||
{
|
+ "section=%s not found", value);
|
||||||
int i;
|
+ return 0;
|
||||||
STACK_OF(CONF_VALUE) *ecmds;
|
+ }
|
||||||
int soft = 0;
|
+
|
||||||
- OSSL_PROVIDER *prov = NULL, *actual = NULL;
|
+ /* Find the needed data first */
|
||||||
const char *path = NULL;
|
+ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) {
|
||||||
long activate = 0;
|
+ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i);
|
||||||
int ok = 0;
|
+ const char *confname = skip_dot(ecmd->name);
|
||||||
@@ -185,55 +245,7 @@ static int provider_conf_load(OSSL_LIB_C
|
+ const char *confvalue = ecmd->value;
|
||||||
}
|
+
|
||||||
|
+ OSSL_TRACE2(CONF, "Provider command: %s = %s\n",
|
||||||
if (activate) {
|
+ confname, confvalue);
|
||||||
- if (!CRYPTO_THREAD_write_lock(pcgbl->lock)) {
|
+
|
||||||
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
+ /* First handle some special pseudo confs */
|
||||||
- return 0;
|
+
|
||||||
- }
|
+ /* Override provider name to use */
|
||||||
- if (!prov_already_activated(name, pcgbl->activated_providers)) {
|
+ if (strcmp(confname, "identity") == 0)
|
||||||
- /*
|
+ name = confvalue;
|
||||||
- * There is an attempt to activate a provider, so we should disable
|
+ else if (strcmp(confname, "soft_load") == 0)
|
||||||
- * loading of fallbacks. Otherwise a misconfiguration could mean the
|
+ soft = 1;
|
||||||
- * intended provider does not get loaded. Subsequent fetches could
|
+ /* Load a dynamic PROVIDER */
|
||||||
- * then fallback to the default provider - which may be the wrong
|
+ else if (strcmp(confname, "module") == 0)
|
||||||
- * thing.
|
+ path = confvalue;
|
||||||
- */
|
+ else if (strcmp(confname, "activate") == 0)
|
||||||
- if (!ossl_provider_disable_fallback_loading(libctx)) {
|
+ activate = 1;
|
||||||
- CRYPTO_THREAD_unlock(pcgbl->lock);
|
+ }
|
||||||
- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR);
|
+
|
||||||
- return 0;
|
+ if (activate) {
|
||||||
- }
|
+ ok = provider_conf_activate(libctx, name, value, path, soft, cnf);
|
||||||
- prov = ossl_provider_find(libctx, name, 1);
|
|
||||||
- if (prov == NULL)
|
|
||||||
- prov = ossl_provider_new(libctx, name, NULL, 1);
|
|
||||||
- if (prov == NULL) {
|
|
||||||
- CRYPTO_THREAD_unlock(pcgbl->lock);
|
|
||||||
- if (soft)
|
|
||||||
- ERR_clear_error();
|
|
||||||
- return 0;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if (path != NULL)
|
|
||||||
- ossl_provider_set_module_path(prov, path);
|
|
||||||
-
|
|
||||||
- ok = provider_conf_params(prov, NULL, NULL, value, cnf);
|
|
||||||
-
|
|
||||||
- if (ok) {
|
|
||||||
- if (!ossl_provider_activate(prov, 1, 0)) {
|
|
||||||
- ok = 0;
|
|
||||||
- } else if (!ossl_provider_add_to_store(prov, &actual, 0)) {
|
|
||||||
- ossl_provider_deactivate(prov);
|
|
||||||
- ok = 0;
|
|
||||||
- } else {
|
|
||||||
- if (pcgbl->activated_providers == NULL)
|
|
||||||
- pcgbl->activated_providers = sk_OSSL_PROVIDER_new_null();
|
|
||||||
- sk_OSSL_PROVIDER_push(pcgbl->activated_providers, actual);
|
|
||||||
- ok = 1;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
- if (!ok)
|
|
||||||
- ossl_provider_free(prov);
|
|
||||||
- }
|
|
||||||
- CRYPTO_THREAD_unlock(pcgbl->lock);
|
|
||||||
+ ok = provider_conf_activate(libctx, pcgbl, name, value, path, soft, cnf);
|
|
||||||
} else {
|
} else {
|
||||||
OSSL_PROVIDER_INFO entry;
|
OSSL_PROVIDER_INFO entry;
|
||||||
|
|
||||||
@@ -294,6 +306,19 @@ static int provider_conf_init(CONF_IMODU
|
@@ -306,6 +315,19 @@ static int provider_conf_init(CONF_IMODU
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -142,9 +148,9 @@ diff -up openssl-3.0.0/crypto/provider_conf.c.fips-force openssl-3.0.0/crypto/pr
|
|||||||
+ PROVIDER_CONF_GLOBAL *pcgbl
|
+ PROVIDER_CONF_GLOBAL *pcgbl
|
||||||
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX,
|
||||||
+ &provider_conf_ossl_ctx_method);
|
+ &provider_conf_ossl_ctx_method);
|
||||||
+ if (provider_conf_activate(libctx, pcgbl, "fips", NULL, NULL, 0, NULL) != 1)
|
+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1)
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+ if (provider_conf_activate(libctx, pcgbl, "base", NULL, NULL, 0, NULL) != 1)
|
+ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1)
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
|
+ if (EVP_default_properties_enable_fips(libctx, 1) != 1)
|
||||||
+ return 0;
|
+ return 0;
|
||||||
|
@ -10,7 +10,7 @@ diff -up openssl-3.0.0/providers/fips/self_test.c.embed-hmac openssl-3.0.0/provi
|
|||||||
+ * The __attribute__ ensures we've created the .rodata1 section
|
+ * The __attribute__ ensures we've created the .rodata1 section
|
||||||
+ * static ensures it's zero filled
|
+ * static ensures it's zero filled
|
||||||
+*/
|
+*/
|
||||||
+static const volatile unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
|
+static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0};
|
||||||
+
|
+
|
||||||
/*
|
/*
|
||||||
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
|
* Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify
|
||||||
|
@ -11,10 +11,160 @@ diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c
|
|||||||
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
|
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
|
||||||
goto end;
|
goto end;
|
||||||
|
|
||||||
diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in
|
diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod
|
||||||
--- openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx 2021-11-22 13:19:55.192959061 +0100
|
--- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100
|
||||||
+++ openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in 2021-11-22 13:20:56.978491104 +0100
|
+++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100
|
||||||
@@ -8,224 +8,10 @@ openssl-fipsinstall - perform FIPS confi
|
@@ -158,10 +158,6 @@ Engine (loadable module) information and
|
||||||
|
|
||||||
|
Error Number to Error String Conversion.
|
||||||
|
|
||||||
|
-=item B<fipsinstall>
|
||||||
|
-
|
||||||
|
-FIPS configuration installation.
|
||||||
|
-
|
||||||
|
=item B<gendsa>
|
||||||
|
|
||||||
|
Generation of DSA Private Key from Parameters. Superseded by
|
||||||
|
diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod
|
||||||
|
--- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100
|
||||||
|
+++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100
|
||||||
|
@@ -573,7 +573,6 @@ configuration files using that syntax wi
|
||||||
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
|
||||||
|
-L<openssl-fipsinstall(1)>,
|
||||||
|
L<ASN1_generate_nconf(3)>,
|
||||||
|
L<EVP_set_default_properties(3)>,
|
||||||
|
L<CONF_modules_load(3)>,
|
||||||
|
diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod
|
||||||
|
--- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100
|
||||||
|
+++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100
|
||||||
|
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
-A separate configuration file, using the OpenSSL L<config(5)> syntax,
|
||||||
|
-is used to hold information about the FIPS module. This includes a digest
|
||||||
|
-of the shared library file, and status about the self-testing.
|
||||||
|
-This data is used automatically by the module itself for two
|
||||||
|
-purposes:
|
||||||
|
-
|
||||||
|
-=over 4
|
||||||
|
-
|
||||||
|
-=item - Run the startup FIPS self-test known answer tests (KATS).
|
||||||
|
-
|
||||||
|
-This is normally done once, at installation time, but may also be set up to
|
||||||
|
-run each time the module is used.
|
||||||
|
-
|
||||||
|
-=item - Verify the module's checksum.
|
||||||
|
-
|
||||||
|
-This is done each time the module is used.
|
||||||
|
-
|
||||||
|
-=back
|
||||||
|
-
|
||||||
|
-This file is generated by the L<openssl-fipsinstall(1)> program, and
|
||||||
|
-used internally by the FIPS module during its initialization.
|
||||||
|
-
|
||||||
|
-The following options are supported. They should all appear in a section
|
||||||
|
-whose name is identified by the B<fips> option in the B<providers>
|
||||||
|
-section, as described in L<config(5)/Provider Configuration Module>.
|
||||||
|
-
|
||||||
|
-=over 4
|
||||||
|
-
|
||||||
|
-=item B<activate>
|
||||||
|
-
|
||||||
|
-If present, the module is activated. The value assigned to this name is not
|
||||||
|
-significant.
|
||||||
|
-
|
||||||
|
-=item B<install-version>
|
||||||
|
-
|
||||||
|
-A version number for the fips install process. Should be 1.
|
||||||
|
-
|
||||||
|
-=item B<conditional-errors>
|
||||||
|
-
|
||||||
|
-The FIPS module normally enters an internal error mode if any self test fails.
|
||||||
|
-Once this error mode is active, no services or cryptographic algorithms are
|
||||||
|
-accessible from this point on.
|
||||||
|
-Continuous tests are a subset of the self tests (e.g., a key pair test during key
|
||||||
|
-generation, or the CRNG output test).
|
||||||
|
-Setting this value to C<0> allows the error mode to not be triggered if any
|
||||||
|
-continuous test fails. The default value of C<1> will trigger the error mode.
|
||||||
|
-Regardless of the value, the operation (e.g., key generation) that called the
|
||||||
|
-continuous test will return an error code if its continuous test fails. The
|
||||||
|
-operation may then be retried if the error mode has not been triggered.
|
||||||
|
-
|
||||||
|
-=item B<security-checks>
|
||||||
|
-
|
||||||
|
-This indicates if run-time checks related to enforcement of security parameters
|
||||||
|
-such as minimum security strength of keys and approved curve names are used.
|
||||||
|
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
|
||||||
|
-are not performed and FIPS compliance must be done by procedures documented in
|
||||||
|
-the relevant Security Policy.
|
||||||
|
-
|
||||||
|
-=item B<module-mac>
|
||||||
|
-
|
||||||
|
-The calculated MAC of the FIPS provider file.
|
||||||
|
-
|
||||||
|
-=item B<install-status>
|
||||||
|
-
|
||||||
|
-An indicator that the self-tests were successfully run.
|
||||||
|
-This should only be written after the module has
|
||||||
|
-successfully passed its self tests during installation.
|
||||||
|
-If this field is not present, then the self tests will run when the module
|
||||||
|
-loads.
|
||||||
|
-
|
||||||
|
-=item B<install-mac>
|
||||||
|
-
|
||||||
|
-A MAC of the value of the B<install-status> option, to prevent accidental
|
||||||
|
-changes to that value.
|
||||||
|
-It is written-to at the same time as B<install-status> is updated.
|
||||||
|
-
|
||||||
|
-=back
|
||||||
|
-
|
||||||
|
-For example:
|
||||||
|
-
|
||||||
|
- [fips_sect]
|
||||||
|
- activate = 1
|
||||||
|
- install-version = 1
|
||||||
|
- conditional-errors = 1
|
||||||
|
- security-checks = 1
|
||||||
|
- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
|
||||||
|
- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
|
||||||
|
- install-status = INSTALL_SELF_TEST_KATS_RUN
|
||||||
|
-
|
||||||
|
-=head1 NOTES
|
||||||
|
-
|
||||||
|
-When using the FIPS provider, it is recommended that the
|
||||||
|
-B<config_diagnostics> option is enabled to prevent accidental use of
|
||||||
|
-non-FIPS validated algorithms via broken or mistaken configuration.
|
||||||
|
-See L<config(5)>.
|
||||||
|
-
|
||||||
|
-=head1 SEE ALSO
|
||||||
|
-
|
||||||
|
-L<config(5)>
|
||||||
|
-L<openssl-fipsinstall(1)>
|
||||||
|
+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
|
||||||
|
+automatically loaded when the system is booted in FIPS mode, or when the
|
||||||
|
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
||||||
|
+for more information.
|
||||||
|
|
||||||
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
|
diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
|
||||||
|
--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100
|
||||||
|
+++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100
|
||||||
|
@@ -388,7 +388,6 @@ A simple self test callback is shown bel
|
||||||
|
|
||||||
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
-L<openssl-fipsinstall(1)>,
|
||||||
|
L<fips_config(5)>,
|
||||||
|
L<OSSL_SELF_TEST_set_callback(3)>,
|
||||||
|
L<OSSL_SELF_TEST_new(3)>,
|
||||||
|
diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in
|
||||||
|
--- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100
|
||||||
|
+++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100
|
||||||
|
@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi
|
||||||
=head1 SYNOPSIS
|
=head1 SYNOPSIS
|
||||||
|
|
||||||
B<openssl fipsinstall>
|
B<openssl fipsinstall>
|
||||||
@ -37,7 +187,7 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc
|
|||||||
-[B<-config> I<parent_config>]
|
-[B<-config> I<parent_config>]
|
||||||
|
|
||||||
=head1 DESCRIPTION
|
=head1 DESCRIPTION
|
||||||
|
-
|
||||||
-This command is used to generate a FIPS module configuration file.
|
-This command is used to generate a FIPS module configuration file.
|
||||||
-This configuration file can be used each time a FIPS module is loaded
|
-This configuration file can be used each time a FIPS module is loaded
|
||||||
-in order to pass data to the FIPS module self tests. The FIPS module always
|
-in order to pass data to the FIPS module self tests. The FIPS module always
|
||||||
@ -207,6 +357,18 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc
|
|||||||
-
|
-
|
||||||
-=back
|
-=back
|
||||||
-
|
-
|
||||||
|
-=head1 NOTES
|
||||||
|
-
|
||||||
|
-Self tests results are logged by default if the options B<-quiet> and B<-noout>
|
||||||
|
-are not specified, or if either of the options B<-corrupt_desc> or
|
||||||
|
-B<-corrupt_type> are used.
|
||||||
|
-If the base configuration file is set up to autoload the fips module, then the
|
||||||
|
-fips module will be loaded and self tested BEFORE the fipsinstall application
|
||||||
|
-has a chance to set up its own self test callback. As a result of this the self
|
||||||
|
-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored.
|
||||||
|
-For normal usage the base configuration file should use the default provider
|
||||||
|
-when generating the fips configuration file.
|
||||||
|
-
|
||||||
-=head1 EXAMPLES
|
-=head1 EXAMPLES
|
||||||
-
|
-
|
||||||
-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
|
-Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
|
||||||
@ -236,157 +398,9 @@ diff -up openssl-3.0.0/doc/man1/openssl-fipsinstall.pod.in.xxx openssl-3.0.0/doc
|
|||||||
-L<fips_config(5)>,
|
-L<fips_config(5)>,
|
||||||
-L<OSSL_PROVIDER-FIPS(7)>,
|
-L<OSSL_PROVIDER-FIPS(7)>,
|
||||||
-L<EVP_MAC(3)>
|
-L<EVP_MAC(3)>
|
||||||
+This command is disabled. Please consult Red Hat Enterprise Linux documentation to learn how to correctly enable FIPS mode on Red Hat Enterprise Linux.
|
+This command is disabled.
|
||||||
|
+Please consult Red Hat Enterprise Linux documentation to learn how to correctly
|
||||||
|
+enable FIPS mode on Red Hat Enterprise
|
||||||
|
|
||||||
=head1 COPYRIGHT
|
=head1 COPYRIGHT
|
||||||
|
|
||||||
diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod
|
|
||||||
--- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100
|
|
||||||
+++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100
|
|
||||||
@@ -158,10 +158,6 @@ Engine (loadable module) information and
|
|
||||||
|
|
||||||
Error Number to Error String Conversion.
|
|
||||||
|
|
||||||
-=item B<fipsinstall>
|
|
||||||
-
|
|
||||||
-FIPS configuration installation.
|
|
||||||
-
|
|
||||||
=item B<gendsa>
|
|
||||||
|
|
||||||
Generation of DSA Private Key from Parameters. Superseded by
|
|
||||||
diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod
|
|
||||||
--- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100
|
|
||||||
+++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100
|
|
||||||
@@ -573,7 +573,6 @@ configuration files using that syntax wi
|
|
||||||
=head1 SEE ALSO
|
|
||||||
|
|
||||||
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
|
|
||||||
-L<openssl-fipsinstall(1)>,
|
|
||||||
L<ASN1_generate_nconf(3)>,
|
|
||||||
L<EVP_set_default_properties(3)>,
|
|
||||||
L<CONF_modules_load(3)>,
|
|
||||||
diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod
|
|
||||||
--- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100
|
|
||||||
+++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100
|
|
||||||
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
|
|
||||||
|
|
||||||
=head1 DESCRIPTION
|
|
||||||
|
|
||||||
-A separate configuration file, using the OpenSSL L<config(5)> syntax,
|
|
||||||
-is used to hold information about the FIPS module. This includes a digest
|
|
||||||
-of the shared library file, and status about the self-testing.
|
|
||||||
-This data is used automatically by the module itself for two
|
|
||||||
-purposes:
|
|
||||||
-
|
|
||||||
-=over 4
|
|
||||||
-
|
|
||||||
-=item - Run the startup FIPS self-test known answer tests (KATS).
|
|
||||||
-
|
|
||||||
-This is normally done once, at installation time, but may also be set up to
|
|
||||||
-run each time the module is used.
|
|
||||||
-
|
|
||||||
-=item - Verify the module's checksum.
|
|
||||||
-
|
|
||||||
-This is done each time the module is used.
|
|
||||||
-
|
|
||||||
-=back
|
|
||||||
-
|
|
||||||
-This file is generated by the L<openssl-fipsinstall(1)> program, and
|
|
||||||
-used internally by the FIPS module during its initialization.
|
|
||||||
-
|
|
||||||
-The following options are supported. They should all appear in a section
|
|
||||||
-whose name is identified by the B<fips> option in the B<providers>
|
|
||||||
-section, as described in L<config(5)/Provider Configuration Module>.
|
|
||||||
-
|
|
||||||
-=over 4
|
|
||||||
-
|
|
||||||
-=item B<activate>
|
|
||||||
-
|
|
||||||
-If present, the module is activated. The value assigned to this name is not
|
|
||||||
-significant.
|
|
||||||
-
|
|
||||||
-=item B<install-version>
|
|
||||||
-
|
|
||||||
-A version number for the fips install process. Should be 1.
|
|
||||||
-
|
|
||||||
-=item B<conditional-errors>
|
|
||||||
-
|
|
||||||
-The FIPS module normally enters an internal error mode if any self test fails.
|
|
||||||
-Once this error mode is active, no services or cryptographic algorithms are
|
|
||||||
-accessible from this point on.
|
|
||||||
-Continuous tests are a subset of the self tests (e.g., a key pair test during key
|
|
||||||
-generation, or the CRNG output test).
|
|
||||||
-Setting this value to C<0> allows the error mode to not be triggered if any
|
|
||||||
-continuous test fails. The default value of C<1> will trigger the error mode.
|
|
||||||
-Regardless of the value, the operation (e.g., key generation) that called the
|
|
||||||
-continuous test will return an error code if its continuous test fails. The
|
|
||||||
-operation may then be retried if the error mode has not been triggered.
|
|
||||||
-
|
|
||||||
-=item B<security-checks>
|
|
||||||
-
|
|
||||||
-This indicates if run-time checks related to enforcement of security parameters
|
|
||||||
-such as minimum security strength of keys and approved curve names are used.
|
|
||||||
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
|
|
||||||
-are not performed and FIPS compliance must be done by procedures documented in
|
|
||||||
-the relevant Security Policy.
|
|
||||||
-
|
|
||||||
-=item B<module-mac>
|
|
||||||
-
|
|
||||||
-The calculated MAC of the FIPS provider file.
|
|
||||||
-
|
|
||||||
-=item B<install-status>
|
|
||||||
-
|
|
||||||
-An indicator that the self-tests were successfully run.
|
|
||||||
-This should only be written after the module has
|
|
||||||
-successfully passed its self tests during installation.
|
|
||||||
-If this field is not present, then the self tests will run when the module
|
|
||||||
-loads.
|
|
||||||
-
|
|
||||||
-=item B<install-mac>
|
|
||||||
-
|
|
||||||
-A MAC of the value of the B<install-status> option, to prevent accidental
|
|
||||||
-changes to that value.
|
|
||||||
-It is written-to at the same time as B<install-status> is updated.
|
|
||||||
-
|
|
||||||
-=back
|
|
||||||
-
|
|
||||||
-For example:
|
|
||||||
-
|
|
||||||
- [fips_sect]
|
|
||||||
- activate = 1
|
|
||||||
- install-version = 1
|
|
||||||
- conditional-errors = 1
|
|
||||||
- security-checks = 1
|
|
||||||
- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
|
|
||||||
- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
|
|
||||||
- install-status = INSTALL_SELF_TEST_KATS_RUN
|
|
||||||
-
|
|
||||||
-=head1 NOTES
|
|
||||||
-
|
|
||||||
-When using the FIPS provider, it is recommended that the
|
|
||||||
-B<config_diagnostics> option is enabled to prevent accidental use of
|
|
||||||
-non-FIPS validated algorithms via broken or mistaken configuration.
|
|
||||||
-See L<config(5)>.
|
|
||||||
-
|
|
||||||
-=head1 SEE ALSO
|
|
||||||
-
|
|
||||||
-L<config(5)>
|
|
||||||
-L<openssl-fipsinstall(1)>
|
|
||||||
+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is
|
|
||||||
+automatically loaded when the system is boots in FIPS mode, or when the
|
|
||||||
+environment variable B<OPENSSL_FORCE_FIPS_MODE> is set. See the documentation
|
|
||||||
+for more information.
|
|
||||||
|
|
||||||
=head1 COPYRIGHT
|
|
||||||
|
|
||||||
diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod
|
|
||||||
--- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100
|
|
||||||
+++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100
|
|
||||||
@@ -388,7 +388,6 @@ A simple self test callback is shown bel
|
|
||||||
|
|
||||||
=head1 SEE ALSO
|
|
||||||
|
|
||||||
-L<openssl-fipsinstall(1)>,
|
|
||||||
L<fips_config(5)>,
|
|
||||||
L<OSSL_SELF_TEST_set_callback(3)>,
|
|
||||||
L<OSSL_SELF_TEST_new(3)>,
|
|
||||||
|
120
SOURCES/0045-FIPS-services-minimize.patch
Normal file
120
SOURCES/0045-FIPS-services-minimize.patch
Normal file
@ -0,0 +1,120 @@
|
|||||||
|
diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers/fips/fipsprov.c
|
||||||
|
--- openssl-3.0.0/providers/fips/fipsprov.c.fipsmin 2022-01-12 17:17:42.574377550 +0100
|
||||||
|
+++ openssl-3.0.0/providers/fips/fipsprov.c 2022-01-12 17:19:57.590598279 +0100
|
||||||
|
@@ -37,6 +37,9 @@ static OSSL_FUNC_provider_query_operatio
|
||||||
|
|
||||||
|
#define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK }
|
||||||
|
#define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
|
||||||
|
+#define ALGCU(NAMES, FUNC, CHECK) { { NAMES, FIPS_UNAPPROVED_PROPERTIES, FUNC }, CHECK }
|
||||||
|
+#define ALGU(NAMES, FUNC) ALGCU(NAMES, FUNC, NULL)
|
||||||
|
+
|
||||||
|
|
||||||
|
extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
|
||||||
|
int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx);
|
||||||
|
@@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests
|
||||||
|
* KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for
|
||||||
|
* KMAC128 and KMAC256.
|
||||||
|
*/
|
||||||
|
- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES,
|
||||||
|
+ { PROV_NAMES_KECCAK_KMAC_128, FIPS_UNAPPROVED_PROPERTIES,
|
||||||
|
ossl_keccak_kmac_128_functions },
|
||||||
|
- { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES,
|
||||||
|
+ { PROV_NAMES_KECCAK_KMAC_256, FIPS_UNAPPROVED_PROPERTIES,
|
||||||
|
ossl_keccak_kmac_256_functions },
|
||||||
|
{ NULL, NULL, NULL }
|
||||||
|
};
|
||||||
|
@@ -326,8 +329,8 @@ static const OSSL_ALGORITHM_CAPABLE fips
|
||||||
|
ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions,
|
||||||
|
ossl_cipher_capable_aes_cbc_hmac_sha256),
|
||||||
|
#ifndef OPENSSL_NO_DES
|
||||||
|
- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
||||||
|
- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
|
||||||
|
+ ALGU(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions),
|
||||||
|
+ ALGU(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions),
|
||||||
|
#endif /* OPENSSL_NO_DES */
|
||||||
|
{ { NULL, NULL, NULL }, NULL }
|
||||||
|
};
|
||||||
|
@@ -339,8 +342,8 @@ static const OSSL_ALGORITHM fips_macs[]
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions },
|
||||||
|
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions },
|
||||||
|
- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions },
|
||||||
|
- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions },
|
||||||
|
+ { PROV_NAMES_KMAC_128, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac128_functions },
|
||||||
|
+ { PROV_NAMES_KMAC_256, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac256_functions },
|
||||||
|
{ NULL, NULL, NULL }
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -375,8 +378,8 @@ static const OSSL_ALGORITHM fips_keyexch
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
{ PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions },
|
||||||
|
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions },
|
||||||
|
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },
|
||||||
|
+ { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keyexch_functions },
|
||||||
|
+ { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keyexch_functions },
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
|
||||||
|
ossl_kdf_tls1_prf_keyexch_functions },
|
||||||
|
@@ -386,12 +389,12 @@ static const OSSL_ALGORITHM fips_keyexch
|
||||||
|
|
||||||
|
static const OSSL_ALGORITHM fips_signature[] = {
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },
|
||||||
|
+ { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_signature_functions },
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions },
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions },
|
||||||
|
- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions },
|
||||||
|
+ { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_signature_functions },
|
||||||
|
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },
|
||||||
|
{ PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
|
||||||
|
@@ -421,7 +424,7 @@ static const OSSL_ALGORITHM fips_keymgmt
|
||||||
|
PROV_DESCS_DHX },
|
||||||
|
#endif
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions,
|
||||||
|
+ { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_keymgmt_functions,
|
||||||
|
PROV_DESCS_DSA },
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions,
|
||||||
|
@@ -431,13 +434,13 @@ static const OSSL_ALGORITHM fips_keymgmt
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
{ PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions,
|
||||||
|
PROV_DESCS_EC },
|
||||||
|
- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions,
|
||||||
|
+ { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keymgmt_functions,
|
||||||
|
PROV_DESCS_X25519 },
|
||||||
|
- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions,
|
||||||
|
+ { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keymgmt_functions,
|
||||||
|
PROV_DESCS_X448 },
|
||||||
|
- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions,
|
||||||
|
+ { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions,
|
||||||
|
PROV_DESCS_ED25519 },
|
||||||
|
- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions,
|
||||||
|
+ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions,
|
||||||
|
PROV_DESCS_ED448 },
|
||||||
|
#endif
|
||||||
|
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions,
|
||||||
|
diff -up openssl-3.0.0/test/acvp_test.c.fipsmin openssl-3.0.0/test/acvp_test.c
|
||||||
|
--- openssl-3.0.0/test/acvp_test.c.fipsmin 2022-01-12 18:34:17.283654119 +0100
|
||||||
|
+++ openssl-3.0.0/test/acvp_test.c 2022-01-12 18:35:46.270430676 +0100
|
||||||
|
@@ -1473,6 +1473,7 @@ int setup_tests(void)
|
||||||
|
OSSL_NELEM(dh_safe_prime_keyver_data));
|
||||||
|
#endif /* OPENSSL_NO_DH */
|
||||||
|
|
||||||
|
+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */
|
||||||
|
#ifndef OPENSSL_NO_DSA
|
||||||
|
ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data));
|
||||||
|
ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data));
|
||||||
|
@@ -1480,6 +1481,7 @@ int setup_tests(void)
|
||||||
|
ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data));
|
||||||
|
ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data));
|
||||||
|
#endif /* OPENSSL_NO_DSA */
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_EC
|
||||||
|
ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));
|
22
SOURCES/0046-FIPS-s390x-hardening.patch
Normal file
22
SOURCES/0046-FIPS-s390x-hardening.patch
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
|
||||||
|
index 5c70b2d67840..c5726c638bdd 100644
|
||||||
|
--- a/crypto/ec/ecp_s390x_nistp.c
|
||||||
|
+++ b/crypto/ec/ecp_s390x_nistp.c
|
||||||
|
@@ -116,7 +116,7 @@ static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
|
||||||
|
/* Otherwise use default. */
|
||||||
|
if (rc == -1)
|
||||||
|
rc = ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
|
||||||
|
- OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len);
|
||||||
|
+ OPENSSL_cleanse(param, sizeof(param));
|
||||||
|
BN_CTX_end(ctx);
|
||||||
|
BN_CTX_free(new_ctx);
|
||||||
|
return rc;
|
||||||
|
@@ -212,7 +212,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
|
||||||
|
|
||||||
|
ok = 1;
|
||||||
|
ret:
|
||||||
|
- OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len);
|
||||||
|
+ OPENSSL_cleanse(param, sizeof(param));
|
||||||
|
if (ok != 1) {
|
||||||
|
ECDSA_SIG_free(sig);
|
||||||
|
sig = NULL;
|
39
SOURCES/0047-FIPS-early-KATS.patch
Normal file
39
SOURCES/0047-FIPS-early-KATS.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/providers/fips/self_test.c
|
||||||
|
--- openssl-3.0.1/providers/fips/self_test.c.earlykats 2022-01-19 13:10:00.635830783 +0100
|
||||||
|
+++ openssl-3.0.1/providers/fips/self_test.c 2022-01-19 13:11:43.309342656 +0100
|
||||||
|
@@ -362,6 +362,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||||
|
if (ev == NULL)
|
||||||
|
goto end;
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
|
||||||
|
+ */
|
||||||
|
+ if (kats_already_passed == 0) {
|
||||||
|
+ if (!SELF_TEST_kats(ev, st->libctx)) {
|
||||||
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
module_checksum = fips_hmac_container;
|
||||||
|
checksum_len = sizeof(fips_hmac_container);
|
||||||
|
|
||||||
|
@@ -411,18 +421,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||||
|
kats_already_passed = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Only runs the KAT's during installation OR on_demand().
|
||||||
|
- * NOTE: If the installation option 'self_test_onload' is chosen then this
|
||||||
|
- * path will always be run, since kats_already_passed will always be 0.
|
||||||
|
- */
|
||||||
|
- if (on_demand_test || kats_already_passed == 0) {
|
||||||
|
- if (!SELF_TEST_kats(ev, st->libctx)) {
|
||||||
|
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
ok = 1;
|
||||||
|
end:
|
||||||
|
OSSL_SELF_TEST_free(ev);
|
@ -1,12 +0,0 @@
|
|||||||
diff -up openssl-3.0.0/apps/s_client.c.coverity openssl-3.0.0/apps/s_client.c
|
|
||||||
--- openssl-3.0.0/apps/s_client.c.coverity 2021-10-07 16:59:37.938432118 +0200
|
|
||||||
+++ openssl-3.0.0/apps/s_client.c 2021-10-07 17:00:52.994075755 +0200
|
|
||||||
@@ -3040,6 +3040,8 @@ int s_client_main(int argc, char **argv)
|
|
||||||
#endif
|
|
||||||
OPENSSL_free(connectstr);
|
|
||||||
OPENSSL_free(bindstr);
|
|
||||||
+ OPENSSL_free(bindhost);
|
|
||||||
+ OPENSSL_free(bindport);
|
|
||||||
OPENSSL_free(host);
|
|
||||||
OPENSSL_free(port);
|
|
||||||
OPENSSL_free(thost);
|
|
@ -14,8 +14,8 @@
|
|||||||
|
|
||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 3.0.0
|
Version: 3.0.1
|
||||||
Release: 6%{?dist}
|
Release: 5%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -55,8 +55,6 @@ Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
|||||||
Patch11: 0011-Remove-EC-curves.patch
|
Patch11: 0011-Remove-EC-curves.patch
|
||||||
# Instructions to load legacy provider in openssl.cnf
|
# Instructions to load legacy provider in openssl.cnf
|
||||||
Patch24: 0024-load-legacy-prov.patch
|
Patch24: 0024-load-legacy-prov.patch
|
||||||
# Tmp: Upstream #16636
|
|
||||||
Patch30: 0030-tmp-Fix-rng-seed-double-free.patch
|
|
||||||
# Tmp: test name change
|
# Tmp: test name change
|
||||||
Patch31: 0031-tmp-Fix-test-names.patch
|
Patch31: 0031-tmp-Fix-test-names.patch
|
||||||
# We load FIPS provider and set FIPS properties implicitly
|
# We load FIPS provider and set FIPS properties implicitly
|
||||||
@ -67,12 +65,16 @@ Patch33: 0033-FIPS-embed-hmac.patch
|
|||||||
Patch34: 0034.fipsinstall_disable.patch
|
Patch34: 0034.fipsinstall_disable.patch
|
||||||
# Skip unavailable algorithms running `openssl speed`
|
# Skip unavailable algorithms running `openssl speed`
|
||||||
Patch35: 0035-speed-skip-unavailable-dgst.patch
|
Patch35: 0035-speed-skip-unavailable-dgst.patch
|
||||||
# Tmp: coverity
|
# Minimize fips services
|
||||||
Patch100: 0100-coverity.patch
|
Patch45: 0045-FIPS-services-minimize.patch
|
||||||
|
# Backport of s390x hardening, https://github.com/openssl/openssl/pull/17486
|
||||||
|
Patch46: 0046-FIPS-s390x-hardening.patch
|
||||||
|
# Execute KATS before HMAC verification
|
||||||
|
Patch47: 0047-FIPS-early-KATS.patch
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc g++
|
||||||
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
|
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
|
||||||
BuildRequires: lksctp-tools-devel
|
BuildRequires: lksctp-tools-devel
|
||||||
BuildRequires: /usr/bin/rename
|
BuildRequires: /usr/bin/rename
|
||||||
@ -210,13 +212,13 @@ export HASHBANGPERL=/usr/bin/perl
|
|||||||
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
||||||
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
||||||
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
|
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
|
||||||
no-mdc2 no-ec2m no-sm2 no-sm4 \
|
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
|
||||||
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
|
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
|
||||||
|
|
||||||
# Do not run this in a production package the FIPS symbols must be patched-in
|
# Do not run this in a production package the FIPS symbols must be patched-in
|
||||||
#util/mkdef.pl crypto update
|
#util/mkdef.pl crypto update
|
||||||
|
|
||||||
make -s %{?_smp_mflags} all
|
make %{?_smp_mflags} all
|
||||||
|
|
||||||
# Clean up the .pc files
|
# Clean up the .pc files
|
||||||
for i in libcrypto.pc libssl.pc openssl.pc ; do
|
for i in libcrypto.pc libssl.pc openssl.pc ; do
|
||||||
@ -310,9 +312,8 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
|
|||||||
|
|
||||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
|
||||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
|
||||||
%ifarch i686
|
#we don't use native fipsmodule.cnf because FIPS module is loaded automatically
|
||||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf
|
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf
|
||||||
%endif
|
|
||||||
|
|
||||||
# Determine which arch opensslconf.h is going to try to #include.
|
# Determine which arch opensslconf.h is going to try to #include.
|
||||||
basearch=%{_arch}
|
basearch=%{_arch}
|
||||||
@ -374,9 +375,6 @@ install -m644 %{SOURCE9} \
|
|||||||
%{_libdir}/libssl.so.%{soversion}
|
%{_libdir}/libssl.so.%{soversion}
|
||||||
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
|
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
|
||||||
%attr(0755,root,root) %{_libdir}/ossl-modules
|
%attr(0755,root,root) %{_libdir}/ossl-modules
|
||||||
%ifnarch i686
|
|
||||||
%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
|
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
|
||||||
@ -400,6 +398,32 @@ install -m644 %{SOURCE9} \
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jan 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-5
|
||||||
|
- On the s390x, zeroize all the copies of TLS premaster secret
|
||||||
|
- Related: rhbz#2040448
|
||||||
|
|
||||||
|
* Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-4
|
||||||
|
- rebuilt
|
||||||
|
|
||||||
|
* Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-3
|
||||||
|
- KATS tests should be executed before HMAC verification
|
||||||
|
- Restoring fips=yes for SHA1
|
||||||
|
- Related: rhbz#2026445, rhbz#2041994
|
||||||
|
|
||||||
|
* Thu Jan 20 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-2
|
||||||
|
- Add enable-buildtest-c++ to the configure options.
|
||||||
|
- Related: rhbz#1990814
|
||||||
|
|
||||||
|
* Tue Jan 18 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-1
|
||||||
|
- Rebase to upstream version 3.0.1
|
||||||
|
- Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl
|
||||||
|
- Resolves: rhbz#2038910, rhbz#2035148
|
||||||
|
|
||||||
|
* Mon Jan 17 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-7
|
||||||
|
- Remove algorithms we don't plan to certify from fips module
|
||||||
|
- Remove native fipsmodule.cnf
|
||||||
|
- Related: rhbz#2026445
|
||||||
|
|
||||||
* Tue Dec 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-6
|
* Tue Dec 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-6
|
||||||
- openssl speed should run in FIPS mode
|
- openssl speed should run in FIPS mode
|
||||||
- Related: rhbz#1977318
|
- Related: rhbz#1977318
|
||||||
|
Loading…
Reference in New Issue
Block a user