forked from rpms/openssl
KATS self-tests should run before HMAC verifcation
Related: rhbz#2041994
This commit is contained in:
parent
f5421022ee
commit
9df33eabbe
39
0047-FIPS-early-KATS.patch
Normal file
39
0047-FIPS-early-KATS.patch
Normal file
@ -0,0 +1,39 @@
|
||||
diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/providers/fips/self_test.c
|
||||
--- openssl-3.0.1/providers/fips/self_test.c.earlykats 2022-01-19 13:10:00.635830783 +0100
|
||||
+++ openssl-3.0.1/providers/fips/self_test.c 2022-01-19 13:11:43.309342656 +0100
|
||||
@@ -362,6 +362,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
if (ev == NULL)
|
||||
goto end;
|
||||
|
||||
+ /*
|
||||
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
|
||||
+ */
|
||||
+ if (kats_already_passed == 0) {
|
||||
+ if (!SELF_TEST_kats(ev, st->libctx)) {
|
||||
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
||||
+ goto end;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
module_checksum = fips_hmac_container;
|
||||
checksum_len = sizeof(fips_hmac_container);
|
||||
|
||||
@@ -411,18 +421,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
||||
kats_already_passed = 1;
|
||||
}
|
||||
}
|
||||
-
|
||||
- /*
|
||||
- * Only runs the KAT's during installation OR on_demand().
|
||||
- * NOTE: If the installation option 'self_test_onload' is chosen then this
|
||||
- * path will always be run, since kats_already_passed will always be 0.
|
||||
- */
|
||||
- if (on_demand_test || kats_already_passed == 0) {
|
||||
- if (!SELF_TEST_kats(ev, st->libctx)) {
|
||||
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
||||
- goto end;
|
||||
- }
|
||||
- }
|
||||
ok = 1;
|
||||
end:
|
||||
OSSL_SELF_TEST_free(ev);
|
@ -15,7 +15,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.1
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -69,6 +69,8 @@ Patch35: 0035-speed-skip-unavailable-dgst.patch
|
||||
Patch45: 0045-FIPS-services-minimize.patch
|
||||
# Enable SHA1 HMAC in FIPS mode
|
||||
Patch46: 0046-FIPS-permitsha1-hmac.patch
|
||||
# Execute KATS before HMAC verification
|
||||
Patch47: 0047-FIPS-early-KATS.patch
|
||||
|
||||
License: ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -396,6 +398,11 @@ install -m644 %{SOURCE9} \
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-3
|
||||
- KATS tests should be executed before HMAC verification
|
||||
- Restoring fips=yes for SHA1
|
||||
- Related: rhbz#2026445, rhbz#2041994
|
||||
|
||||
* Thu Jan 20 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-2
|
||||
- Add enable-buildtest-c++ to the configure options.
|
||||
- Related: rhbz#1990814
|
||||
|
Loading…
Reference in New Issue
Block a user