jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

KATS self-tests should run before HMAC verifcation

Browse Source 
Related: rhbz#2041994
This commit is contained in:
Dmitry Belyavskiy 2022-01-19 13:40:57 +01:00
parent f5421022ee
commit 9df33eabbe
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
0047-FIPS-early-KATS.patch Normal file
View File

@ -0,0 +1,39 @@
diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/providers/fips/self_test.c
--- openssl-3.0.1/providers/fips/self_test.c.earlykats 2022-01-19 13:10:00.635830783 +0100
+++ openssl-3.0.1/providers/fips/self_test.c 2022-01-19 13:11:43.309342656 +0100
@@ -362,6 +362,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
if (ev == NULL)
goto end;
+ /*
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
+ */
+ if (kats_already_passed == 0) {
+ if (!SELF_TEST_kats(ev, st->libctx)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+ goto end;
+ }
+ }
+
module_checksum = fips_hmac_container;
checksum_len = sizeof(fips_hmac_container);
@@ -411,18 +421,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
kats_already_passed = 1;
}
}
-
- /*
- * Only runs the KAT's during installation OR on_demand().
- * NOTE: If the installation option 'self_test_onload' is chosen then this
- * path will always be run, since kats_already_passed will always be 0.
- */
- if (on_demand_test || kats_already_passed == 0) {
- if (!SELF_TEST_kats(ev, st->libctx)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
- goto end;
- }
- }
ok = 1;
end:
OSSL_SELF_TEST_free(ev);

9
openssl.spec
View File

@ -15,7 +15,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.0.1 Version: 3.0.1
Release: 2%{?dist} Release: 3%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -69,6 +69,8 @@ Patch35: 0035-speed-skip-unavailable-dgst.patch
Patch45: 0045-FIPS-services-minimize.patch Patch45: 0045-FIPS-services-minimize.patch
# Enable SHA1 HMAC in FIPS mode # Enable SHA1 HMAC in FIPS mode
Patch46: 0046-FIPS-permitsha1-hmac.patch Patch46: 0046-FIPS-permitsha1-hmac.patch
# Execute KATS before HMAC verification
Patch47: 0047-FIPS-early-KATS.patch
License: ASL 2.0 License: ASL 2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
@ -396,6 +398,11 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-3
- KATS tests should be executed before HMAC verification
- Restoring fips=yes for SHA1
- Related: rhbz#2026445, rhbz#2041994
* Thu Jan 20 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-2 * Thu Jan 20 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-2
- Add enable-buildtest-c++ to the configure options. - Add enable-buildtest-c++ to the configure options.
- Related: rhbz#1990814 - Related: rhbz#1990814