FIPS provider doesn't block RSA encryption for key transport

Resolves: rhbz#2053289
2022-03-28 17:38:25 +02:00 · 2022-03-28 17:38:25 +02:00 · 7a1c7b28bc
commit 7a1c7b28bc
parent 93ff3f8fe5
2 changed files with 26 additions and 1 deletions
--- a/0045-FIPS-services-minimize.patch
+++ b/0045-FIPS-services-minimize.patch
@ -89,6 +89,15 @@ diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers
     { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions },
 #endif
     { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES,
+@@ -407,7 +407,7 @@ static const OSSL_ALGORITHM fips_signatu
+ };
+ 
+ static const OSSL_ALGORITHM fips_asym_cipher[] = {
+-    { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions },
+    { PROV_NAMES_RSA, FIPS_UNAPPROVED_PROPERTIES, ossl_rsa_asym_cipher_functions },
+     { NULL, NULL, NULL }
+ };
+ 
@@ -421,7 +424,7 @@ static const OSSL_ALGORITHM fips_keymgmt
       PROV_DESCS_DHX },
 #endif
@ -119,6 +128,18 @@ diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers
 diff -up openssl-3.0.0/test/acvp_test.c.fipsmin openssl-3.0.0/test/acvp_test.c
 --- openssl-3.0.0/test/acvp_test.c.fipsmin	2022-01-12 18:34:17.283654119 +0100
 +++ openssl-3.0.0/test/acvp_test.c	2022-01-12 18:35:46.270430676 +0100
+@@ -1466,8 +1466,9 @@ int setup_tests(void)
+     ADD_ALL_TESTS(rsa_keygen_test, OSSL_NELEM(rsa_keygen_data));
+     ADD_ALL_TESTS(rsa_siggen_test, OSSL_NELEM(rsa_siggen_data));
+     ADD_ALL_TESTS(rsa_sigver_test, OSSL_NELEM(rsa_sigver_data));
+-    ADD_ALL_TESTS(rsa_decryption_primitive_test,
+-                  OSSL_NELEM(rsa_decrypt_prim_data));
+/* Red Hat FIPS provider doesn't have fips=yes property on RSA encryption */
+/*    ADD_ALL_TESTS(rsa_decryption_primitive_test,
+                  OSSL_NELEM(rsa_decrypt_prim_data)); */
+ 
+ #ifndef OPENSSL_NO_DH
+     ADD_ALL_TESTS(dh_safe_prime_keygen_test,
@@ -1473,6 +1473,7 @@ int setup_tests(void)
                   OSSL_NELEM(dh_safe_prime_keyver_data));
 #endif /* OPENSSL_NO_DH */
--- a/openssl.spec
+++ b/openssl.spec
@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.1
-Release: 21%{?dist}
+Release: 22%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -418,6 +418,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs

 %changelog
+* Mon Mar 28 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-22
+- FIPS provider should block RSA encryption for key transport
+- Resolves: rhbz#2053289
+
 * Tue Mar 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-21
 - Fix occasional internal error in TLS when DHE is used
 - Resolves: rhbz#2004915