Use PBMAC1 by default when creating PKCS#12 files in FIPS mode

Related: RHEL-36659
2024-08-14 11:36:06 +02:00 · 2024-08-14 11:36:06 +02:00 · 8fc2d48423
commit 8fc2d48423
parent 299b43d420
2 changed files with 28 additions and 1 deletions
--- a/0125-PBMAC1-PKCS12-FIPS-default.patch
+++ b/0125-PBMAC1-PKCS12-FIPS-default.patch
@ -0,0 +1,21 @@
+diff -up openssl-3.2.2/apps/pkcs12.c.xxx openssl-3.2.2/apps/pkcs12.c
+--- openssl-3.2.2/apps/pkcs12.c.xxx	2024-08-14 11:24:41.164589397 +0200
+++ openssl-3.2.2/apps/pkcs12.c	2024-08-14 11:28:21.071004221 +0200
+@@ -17,6 +17,7 @@
+ #include <openssl/asn1.h>
+ #include <openssl/crypto.h>
+ #include <openssl/err.h>
+#include <openssl/evp.h>
+ #include <openssl/pem.h>
+ #include <openssl/pkcs12.h>
+ #include <openssl/provider.h>
+@@ -708,6 +709,9 @@ int pkcs12_main(int argc, char **argv)
+         }
+ 
+         if (maciter != -1) {
+            if (EVP_default_properties_is_fips_enabled(NULL))
+                pbmac1_pbkdf2 = 1;
+
+             if (pbmac1_pbkdf2 == 1) {
+                 if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL,
+                                               macsaltlen, maciter,
--- a/openssl.spec
+++ b/openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.2.2
-Release: 9%{?dist}
+Release: 10%{?dist}
 Epoch: 1
 Source: openssl-%{version}.tar.gz
 Source2: Makefile.certificate
@ -160,6 +160,8 @@ Patch121: 0121-FIPS-cms-defaults.patch
 Patch122: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
 # https://github.com/openssl/openssl/issues/24577
 Patch124: 0124-PBMAC1-PKCS12-FIPS-support.patch
+# Downstream patch: enforce PBMAC1 in FIPS mode
+Patch125: 0125-PBMAC1-PKCS12-FIPS-default.patch

 License: Apache-2.0
 URL: http://www.openssl.org/
@ -505,6 +507,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 %ldconfig_scriptlets libs

 %changelog
+* Wed Aug 14 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-10
+- Use PBMAC1 by default when creating PKCS#12 files in FIPS mode
+  Related: RHEL-36659
+
 * Fri Aug 09 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-9
 - An interface to create PKCS #12 files in FIPS compliant way
  Related: RHEL-36659