From cc37486d8653c65d4497bc9ce409e33fc61d7a4a Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 13 Jan 2022 13:33:40 +0100 Subject: [PATCH] Minimize the list of services allowed for FIPS Related: rhbz#2026445 --- 0045-FIPS-services-minimize.patch | 129 ++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 0045-FIPS-services-minimize.patch diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch new file mode 100644 index 0000000..e572d86 --- /dev/null +++ b/0045-FIPS-services-minimize.patch @@ -0,0 +1,129 @@ +diff -up openssl-3.0.0/providers/fips/fipsprov.c.fipsmin openssl-3.0.0/providers/fips/fipsprov.c +--- openssl-3.0.0/providers/fips/fipsprov.c.fipsmin 2022-01-12 17:17:42.574377550 +0100 ++++ openssl-3.0.0/providers/fips/fipsprov.c 2022-01-12 17:19:57.590598279 +0100 +@@ -37,6 +37,9 @@ static OSSL_FUNC_provider_query_operatio + + #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK } + #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) ++#define ALGCU(NAMES, FUNC, CHECK) { { NAMES, FIPS_UNAPPROVED_PROPERTIES, FUNC }, CHECK } ++#define ALGU(NAMES, FUNC) ALGCU(NAMES, FUNC, NULL) ++ + + extern OSSL_FUNC_core_thread_start_fn *c_thread_start; + int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); +@@ -241,7 +244,7 @@ static int fips_self_test(void *provctx) + */ + static const OSSL_ALGORITHM fips_digests[] = { + /* Our primary name:NiST name[:our older names] */ +- { PROV_NAMES_SHA1, FIPS_DEFAULT_PROPERTIES, ossl_sha1_functions }, ++ { PROV_NAMES_SHA1, FIPS_UNAPPROVED_PROPERTIES, ossl_sha1_functions }, + { PROV_NAMES_SHA2_224, FIPS_DEFAULT_PROPERTIES, ossl_sha224_functions }, + { PROV_NAMES_SHA2_256, FIPS_DEFAULT_PROPERTIES, ossl_sha256_functions }, + { PROV_NAMES_SHA2_384, FIPS_DEFAULT_PROPERTIES, ossl_sha384_functions }, +@@ -264,9 +267,9 @@ static const OSSL_ALGORITHM fips_digests + * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for + * KMAC128 and KMAC256. + */ +- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, ++ { PROV_NAMES_KECCAK_KMAC_128, FIPS_UNAPPROVED_PROPERTIES, + ossl_keccak_kmac_128_functions }, +- { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, ++ { PROV_NAMES_KECCAK_KMAC_256, FIPS_UNAPPROVED_PROPERTIES, + ossl_keccak_kmac_256_functions }, + { NULL, NULL, NULL } + }; +@@ -326,8 +329,8 @@ static const OSSL_ALGORITHM_CAPABLE fips + ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, + ossl_cipher_capable_aes_cbc_hmac_sha256), + #ifndef OPENSSL_NO_DES +- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), +- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), ++ ALGU(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), ++ ALGU(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), + #endif /* OPENSSL_NO_DES */ + { { NULL, NULL, NULL }, NULL } + }; +@@ -339,8 +342,8 @@ static const OSSL_ALGORITHM fips_macs[] + #endif + { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, + { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, +- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, +- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, ++ { PROV_NAMES_KMAC_128, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac128_functions }, ++ { PROV_NAMES_KMAC_256, FIPS_UNAPPROVED_PROPERTIES, ossl_kmac256_functions }, + { NULL, NULL, NULL } + }; + +@@ -375,8 +378,8 @@ static const OSSL_ALGORITHM fips_keyexch + #endif + #ifndef OPENSSL_NO_EC + { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, +- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, +- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, ++ { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keyexch_functions }, ++ { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keyexch_functions }, + #endif + { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, + ossl_kdf_tls1_prf_keyexch_functions }, +@@ -386,12 +389,12 @@ static const OSSL_ALGORITHM fips_keyexch + + static const OSSL_ALGORITHM fips_signature[] = { + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, ++ { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_signature_functions }, + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, + #ifndef OPENSSL_NO_EC +- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, +- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, ++ { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_signature_functions }, ++ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, + { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, + #endif + { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, +@@ -421,7 +424,7 @@ static const OSSL_ALGORITHM fips_keymgmt + PROV_DESCS_DHX }, + #endif + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, ++ { PROV_NAMES_DSA, FIPS_UNAPPROVED_PROPERTIES, ossl_dsa_keymgmt_functions, + PROV_DESCS_DSA }, + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, +@@ -431,13 +434,13 @@ static const OSSL_ALGORITHM fips_keymgmt + #ifndef OPENSSL_NO_EC + { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, + PROV_DESCS_EC }, +- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, ++ { PROV_NAMES_X25519, FIPS_UNAPPROVED_PROPERTIES, ossl_x25519_keymgmt_functions, + PROV_DESCS_X25519 }, +- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, ++ { PROV_NAMES_X448, FIPS_UNAPPROVED_PROPERTIES, ossl_x448_keymgmt_functions, + PROV_DESCS_X448 }, +- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions, ++ { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, + PROV_DESCS_ED25519 }, +- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions, ++ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, + PROV_DESCS_ED448 }, + #endif + { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, +diff -up openssl-3.0.0/test/acvp_test.c.fipsmin openssl-3.0.0/test/acvp_test.c +--- openssl-3.0.0/test/acvp_test.c.fipsmin 2022-01-12 18:34:17.283654119 +0100 ++++ openssl-3.0.0/test/acvp_test.c 2022-01-12 18:35:46.270430676 +0100 +@@ -1473,6 +1473,7 @@ int setup_tests(void) + OSSL_NELEM(dh_safe_prime_keyver_data)); + #endif /* OPENSSL_NO_DH */ + ++#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */ + #ifndef OPENSSL_NO_DSA + ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); + ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); +@@ -1480,6 +1481,7 @@ int setup_tests(void) + ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); + ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_EC + ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data));